{"id": "OPENVAS:1361412562310122179", "type": "openvas", "bulletinFamily": "scanner", "title": "Oracle Linux Local Check: ELSA-2011-0498", "description": "Oracle Linux Local Security Checks ELSA-2011-0498", "published": "2015-10-06T00:00:00", "modified": "2018-09-28T00:00:00", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122179", "reporter": "Eero Volotinen", "references": ["http://linux.oracle.com/errata/ELSA-2011-0498.html"], "cvelist": ["CVE-2010-4649", "CVE-2011-1573", "CVE-2011-0006", "CVE-2011-0711", "CVE-2011-1079", "CVE-2011-1044", "CVE-2011-0712", "CVE-2011-1019", "CVE-2011-1013", "CVE-2010-4250", "CVE-2011-1093", "CVE-2011-1016", "CVE-2011-0726", "CVE-2010-4565", "CVE-2011-1080"], "lastseen": "2019-05-29T18:36:56", "viewCount": 6, "enchantments": {"dependencies": {"references": [{"type": "centos", "idList": ["CESA-2011:0833", "CESA-2011:0927"]}, {"type": "cve", "idList": ["CVE-2010-4250", "CVE-2010-4565", "CVE-2010-4649", "CVE-2011-0006", "CVE-2011-0711", "CVE-2011-0712", "CVE-2011-0726", "CVE-2011-1013", "CVE-2011-1016", "CVE-2011-1019", "CVE-2011-1044", "CVE-2011-1079", "CVE-2011-1080", "CVE-2011-1093", "CVE-2011-1479", "CVE-2011-1573"]}, {"type": "debian", "idList": ["DEBIAN:DSA-2153-1:FDD6A", "DEBIAN:DSA-2240-1:38C7A", "DEBIAN:DSA-2264-1:87A7B", "DEBIAN:DSA-2310-1:3E5BE"]}, {"type": "fedora", "idList": ["FEDORA:329D9110666", "FEDORA:7AE2C1106A7", "FEDORA:A272A110C4A", "FEDORA:BD6A910FBAE"]}, {"type": "nessus", "idList": ["CENTOS_RHSA-2011-0833.NASL", "CENTOS_RHSA-2011-0927.NASL", "DEBIAN_DSA-2153.NASL", "DEBIAN_DSA-2240.NASL", "DEBIAN_DSA-2264.NASL", "DEBIAN_DSA-2310.NASL", "FEDORA_2011-1138.NASL", "FEDORA_2011-2134.NASL", "FEDORA_2011-6447.NASL", "FEDORA_2011-6541.NASL", "NEWSTART_CGSL_NS-SA-2019-0264_KERNEL.NASL", "NEWSTART_CGSL_NS-SA-2019-0266_KERNEL-RT.NASL", "ORACLELINUX_ELSA-2011-0498.NASL", "ORACLELINUX_ELSA-2011-0833.NASL", "ORACLELINUX_ELSA-2011-0927.NASL", "ORACLELINUX_ELSA-2011-2015.NASL", "ORACLELINUX_ELSA-2019-4685.NASL", "ORACLEVM_OVMSA-2013-0039.NASL", "ORACLEVM_OVMSA-2019-0024.NASL", "REDHAT-RHSA-2011-0498.NASL", "REDHAT-RHSA-2011-0833.NASL", "REDHAT-RHSA-2011-0927.NASL", "REDHAT-RHSA-2011-1090.NASL", "REDHAT-RHSA-2011-1253.NASL", "SL_20110510_KERNEL_ON_SL6_X.NASL", "SL_20110531_KERNEL_ON_SL5_X.NASL", "SL_20110715_KERNEL_ON_SL5_X.NASL", "SUSE_11_2_KERNEL-110413.NASL", "SUSE_11_3_KERNEL-110414.NASL", "SUSE_11_3_KERNEL-110726.NASL", "SUSE_11_4_KERNEL-110426.NASL", "SUSE_11_4_KERNEL-120104.NASL", "SUSE_11_KERNEL-110228.NASL", "SUSE_11_KERNEL-110414.NASL", "SUSE_11_KERNEL-110415.NASL", "SUSE_11_KERNEL-110718.NASL", "SUSE_KERNEL-7381.NASL", "SUSE_KERNEL-7384.NASL", "SUSE_KERNEL-7515.NASL", "SUSE_KERNEL-7516.NASL", "SUSE_KERNEL-7568.NASL", "SUSE_KERNEL-7665.NASL", "SUSE_KERNEL-7666.NASL", "SUSE_KERNEL-7729.NASL", "SUSE_KERNEL-7734.NASL", "SUSE_KERNEL-7915.NASL", "SUSE_KERNEL-7918.NASL", "SUSE_KERNEL-8324.NASL", "SUSE_KERNEL-8325.NASL", "SUSE_SU-2012-1391-1.NASL", "UBUNTU_USN-1080-1.NASL", "UBUNTU_USN-1080-2.NASL", "UBUNTU_USN-1081-1.NASL", "UBUNTU_USN-1093-1.NASL", "UBUNTU_USN-1133-1.NASL", "UBUNTU_USN-1141-1.NASL", "UBUNTU_USN-1146-1.NASL", "UBUNTU_USN-1159-1.NASL", "UBUNTU_USN-1160-1.NASL", "UBUNTU_USN-1162-1.NASL", "UBUNTU_USN-1164-1.NASL", "UBUNTU_USN-1167-1.NASL", "UBUNTU_USN-1170-1.NASL", "UBUNTU_USN-1186-1.NASL", "UBUNTU_USN-1187-1.NASL", "UBUNTU_USN-1189-1.NASL", "UBUNTU_USN-1202-1.NASL", "UBUNTU_USN-1204-1.NASL", "UBUNTU_USN-1212-1.NASL", "UBUNTU_USN-1236-1.NASL", "UBUNTU_USN-1241-1.NASL", "UBUNTU_USN-1242-1.NASL", "UBUNTU_USN-1243-1.NASL", "UBUNTU_USN-1256-1.NASL", "UBUNTU_USN-1394-1.NASL", "VMWARE_VMSA-2012-0001.NASL", "VMWARE_VMSA-2012-0001_REMOTE.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:103448", "OPENVAS:1361412562310103448", "OPENVAS:1361412562310122132", "OPENVAS:1361412562310122155", "OPENVAS:1361412562310122177", "OPENVAS:136141256231068992", "OPENVAS:136141256231069970", "OPENVAS:1361412562310831331", "OPENVAS:1361412562310840599", "OPENVAS:1361412562310840600", "OPENVAS:1361412562310840601", "OPENVAS:1361412562310840663", "OPENVAS:1361412562310840671", "OPENVAS:1361412562310840676", "OPENVAS:1361412562310840691", "OPENVAS:1361412562310840693", "OPENVAS:1361412562310840696", "OPENVAS:1361412562310840699", "OPENVAS:1361412562310840700", "OPENVAS:1361412562310840703", "OPENVAS:1361412562310840718", "OPENVAS:1361412562310840720", "OPENVAS:1361412562310840725", "OPENVAS:1361412562310840744", "OPENVAS:1361412562310840745", "OPENVAS:1361412562310840748", "OPENVAS:1361412562310840778", "OPENVAS:1361412562310840785", "OPENVAS:1361412562310840789", "OPENVAS:1361412562310840790", "OPENVAS:1361412562310840802", "OPENVAS:1361412562310840927", "OPENVAS:1361412562310850163", "OPENVAS:1361412562310850165", "OPENVAS:1361412562310850211", "OPENVAS:1361412562310862842", "OPENVAS:1361412562310862910", "OPENVAS:1361412562310863087", "OPENVAS:1361412562310863292", "OPENVAS:1361412562310870439", "OPENVAS:1361412562310870453", "OPENVAS:1361412562310870632", "OPENVAS:1361412562310880545", "OPENVAS:1361412562310880551", "OPENVAS:1361412562310881248", "OPENVAS:1361412562310881342", "OPENVAS:68992", "OPENVAS:69970", "OPENVAS:831331", "OPENVAS:840599", "OPENVAS:840600", "OPENVAS:840601", "OPENVAS:840663", "OPENVAS:840671", "OPENVAS:840676", "OPENVAS:840691", "OPENVAS:840693", "OPENVAS:840696", "OPENVAS:840699", "OPENVAS:840700", "OPENVAS:840703", "OPENVAS:840718", "OPENVAS:840720", "OPENVAS:840725", "OPENVAS:840744", "OPENVAS:840745", "OPENVAS:840748", "OPENVAS:840778", "OPENVAS:840785", "OPENVAS:840789", "OPENVAS:840790", "OPENVAS:840802", "OPENVAS:840927", "OPENVAS:850163", "OPENVAS:850165", "OPENVAS:850211", "OPENVAS:862842", "OPENVAS:862910", "OPENVAS:863087", "OPENVAS:863292", "OPENVAS:870439", "OPENVAS:870453", "OPENVAS:870632", "OPENVAS:880545", "OPENVAS:880551", "OPENVAS:881248", "OPENVAS:881342"]}, {"type": "oraclelinux", "idList": ["ELSA-2011-0421", "ELSA-2011-0498", "ELSA-2011-0542", "ELSA-2011-0833", "ELSA-2011-0927", "ELSA-2011-1065", "ELSA-2011-2015", "ELSA-2019-4670", "ELSA-2019-4672", "ELSA-2019-4675", "ELSA-2019-4685"]}, {"type": "osv", "idList": ["OSV:DSA-2153-1", "OSV:DSA-2240-1", "OSV:DSA-2264-1", "OSV:DSA-2310-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:105078"]}, {"type": "redhat", "idList": ["RHSA-2011:0330", "RHSA-2011:0498", "RHSA-2011:0500", "RHSA-2011:0833", "RHSA-2011:0927", "RHSA-2011:1090", "RHSA-2011:1253"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:25594", "SECURITYVULNS:DOC:26397", "SECURITYVULNS:DOC:26416", "SECURITYVULNS:DOC:26447", "SECURITYVULNS:DOC:30412", "SECURITYVULNS:VULN:11394", "SECURITYVULNS:VULN:11588", "SECURITYVULNS:VULN:11656", "SECURITYVULNS:VULN:11708"]}, {"type": "seebug", "idList": ["SSV:20357", "SSV:20512", "SSV:20536", "SSV:20537"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2012:0236-1", "SUSE-SA:2011:012", "SUSE-SA:2011:015", "SUSE-SA:2011:017", "SUSE-SA:2011:019", "SUSE-SA:2011:020", "SUSE-SA:2011:021", "SUSE-SA:2011:026", "SUSE-SA:2011:027", "SUSE-SA:2011:031", "SUSE-SA:2011:034", "SUSE-SA:2011:040", "SUSE-SU-2011:0711-1", "SUSE-SU-2011:0832-1", "SUSE-SU-2011:0899-1", "SUSE-SU-2011:1058-1", "SUSE-SU-2012:1391-1"]}, {"type": "ubuntu", "idList": ["USN-1080-1", "USN-1080-2", "USN-1081-1", "USN-1093-1", "USN-1141-1", "USN-1146-1", "USN-1159-1", "USN-1160-1", "USN-1162-1", "USN-1164-1", "USN-1167-1", "USN-1170-1", "USN-1186-1", "USN-1187-1", "USN-1189-1", "USN-1202-1", "USN-1204-1", "USN-1212-1", "USN-1236-1", "USN-1241-1", "USN-1242-1", "USN-1243-1", "USN-1256-1", "USN-1394-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2010-4250", "UB:CVE-2010-4565", "UB:CVE-2010-4649", "UB:CVE-2011-0006", "UB:CVE-2011-0711", "UB:CVE-2011-0712", "UB:CVE-2011-0726", "UB:CVE-2011-1013", "UB:CVE-2011-1016", "UB:CVE-2011-1019", "UB:CVE-2011-1044", "UB:CVE-2011-1079", "UB:CVE-2011-1080", "UB:CVE-2011-1093", "UB:CVE-2011-1479", "UB:CVE-2011-1573"]}, {"type": "veracode", "idList": ["VERACODE:24512", "VERACODE:24514", "VERACODE:24515", "VERACODE:24516", "VERACODE:24651", "VERACODE:24652", "VERACODE:24653", "VERACODE:24654", "VERACODE:24655", "VERACODE:24656", "VERACODE:24657", "VERACODE:24658", "VERACODE:24659", "VERACODE:24660", "VERACODE:24661", "VERACODE:24788"]}, {"type": "vmware", "idList": ["VMSA-2012-0001", "VMSA-2012-0001.2"]}]}, "score": {"value": -0.0, "vector": "NONE"}, "backreferences": {"references": [{"type": "centos", "idList": ["CESA-2011:0833", "CESA-2011:0927"]}, {"type": "cve", "idList": ["CVE-2010-4250", "CVE-2010-4565", "CVE-2010-4649", "CVE-2011-0006", "CVE-2011-0711", "CVE-2011-0712", "CVE-2011-0726", "CVE-2011-1013", "CVE-2011-1016", "CVE-2011-1019", "CVE-2011-1044", "CVE-2011-1079", "CVE-2011-1080", "CVE-2011-1093", "CVE-2011-1573"]}, {"type": "debian", "idList": ["DEBIAN:DSA-2264-1:87A7B"]}, {"type": "fedora", "idList": ["FEDORA:A272A110C4A"]}, {"type": "nessus", "idList": ["NEWSTART_CGSL_NS-SA-2019-0264_KERNEL.NASL", "NEWSTART_CGSL_NS-SA-2019-0266_KERNEL-RT.NASL", "ORACLELINUX_ELSA-2011-0927.NASL", "SUSE_KERNEL-7516.NASL", "SUSE_KERNEL-8324.NASL", "UBUNTU_USN-1080-1.NASL", "UBUNTU_USN-1133-1.NASL", "UBUNTU_USN-1164-1.NASL", "UBUNTU_USN-1243-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310840700", "OPENVAS:1361412562310870632", "OPENVAS:880545"]}, {"type": "oraclelinux", "idList": ["ELSA-2011-0421", "ELSA-2011-0498", "ELSA-2011-0542", "ELSA-2011-0833", "ELSA-2011-0927", "ELSA-2011-1065", "ELSA-2011-2015"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:105078"]}, {"type": "redhat", "idList": ["RHSA-2011:0498", "RHSA-2011:0833", "RHSA-2011:0927"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:26447"]}, {"type": "seebug", "idList": ["SSV:20537"]}, {"type": "suse", "idList": ["SUSE-SA:2011:015", "SUSE-SU-2011:1058-1"]}, {"type": "ubuntu", "idList": ["USN-1236-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2011-1093"]}, {"type": "vmware", "idList": ["VMSA-2012-0001"]}]}, "exploitation": null, "vulnersScore": -0.0}, "pluginID": "1361412562310122179", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2011-0498.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.122179\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:14:20 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2011-0498\");\n script_tag(name:\"insight\", value:\"ELSA-2011-0498 - kernel security, bug fix, and enhancement update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2011-0498\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2011-0498.html\");\n script_cve_id(\"CVE-2010-4250\", \"CVE-2010-4565\", \"CVE-2010-4649\", \"CVE-2011-0006\", \"CVE-2011-0711\", \"CVE-2011-0712\", \"CVE-2011-0726\", \"CVE-2011-1013\", \"CVE-2011-1016\", \"CVE-2011-1019\", \"CVE-2011-1044\", \"CVE-2011-1079\", \"CVE-2011-1080\", \"CVE-2011-1093\", \"CVE-2011-1573\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux6\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.32~71.29.1.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~2.6.32~71.29.1.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~2.6.32~71.29.1.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~2.6.32~71.29.1.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~2.6.32~71.29.1.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-firmware\", rpm:\"kernel-firmware~2.6.32~71.29.1.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~2.6.32~71.29.1.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"perf\", rpm:\"perf~2.6.32~71.29.1.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "naslFamily": "Oracle Linux Local Security Checks", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1660012827, "score": 1659840693}, "_internal": {"score_hash": "d191f65903e7e7480e63ba5f5ef7853e"}}
{"nessus": [{"lastseen": "2023-01-11T14:28:53", "description": "Updated kernel packages that fix several security issues, various bugs, and add an enhancement are now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity fixes :\n\n* An integer overflow flaw in ib_uverbs_poll_cq() could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2010-4649, Important)\n\n* An integer signedness flaw in drm_modeset_ctl() could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2011-1013, Important)\n\n* The Radeon GPU drivers in the Linux kernel were missing sanity checks for the Anti Aliasing (AA) resolve register values which could allow a local, unprivileged user to cause a denial of service or escalate their privileges on systems using a graphics card from the ATI Radeon R300, R400, or R500 family of cards. (CVE-2011-1016, Important)\n\n* A flaw in dccp_rcv_state_process() could allow a remote attacker to cause a denial of service, even when the socket was already closed.\n(CVE-2011-1093, Important)\n\n* A flaw in the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation could allow a remote attacker to cause a denial of service if the sysctl 'net.sctp.addip_enable' and 'auth_enable' variables were turned on (they are off by default). (CVE-2011-1573, Important)\n\n* A memory leak in the inotify_init() system call. In some cases, it could leak a group, which could allow a local, unprivileged user to eventually cause a denial of service. (CVE-2010-4250, Moderate)\n\n* A missing validation of a null-terminated string data structure element in bnep_sock_ioctl() could allow a local user to cause an information leak or a denial of service. (CVE-2011-1079, Moderate)\n\n* An information leak in bcm_connect() in the Controller Area Network (CAN) Broadcast Manager implementation could allow a local, unprivileged user to leak kernel mode addresses in '/proc/net/can-bcm'. (CVE-2010-4565, Low)\n\n* A flaw was found in the Linux kernel's Integrity Measurement Architecture (IMA) implementation. When SELinux was disabled, adding an IMA rule which was supposed to be processed by SELinux would cause ima_match_rules() to always succeed, ignoring any remaining rules.\n(CVE-2011-0006, Low)\n\n* A missing initialization flaw in the XFS file system implementation could lead to an information leak. (CVE-2011-0711, Low)\n\n* Buffer overflow flaws in snd_usb_caiaq_audio_init() and snd_usb_caiaq_midi_init() could allow a local, unprivileged user with access to a Native Instruments USB audio device to cause a denial of service or escalate their privileges. (CVE-2011-0712, Low)\n\n* The start_code and end_code values in '/proc/[pid]/stat' were not protected. In certain scenarios, this flaw could be used to defeat Address Space Layout Randomization (ASLR). (CVE-2011-0726, Low)\n\n* A flaw in dev_load() could allow a local user who has the CAP_NET_ADMIN capability to load arbitrary modules from '/lib/modules/', instead of only netdev modules. (CVE-2011-1019, Low)\n\n* A flaw in ib_uverbs_poll_cq() could allow a local, unprivileged user to cause an information leak. (CVE-2011-1044, Low)\n\n* A missing validation of a null-terminated string data structure element in do_replace() could allow a local user who has the CAP_NET_ADMIN capability to cause an information leak. (CVE-2011-1080, Low)\n\nRed Hat would like to thank Vegard Nossum for reporting CVE-2010-4250;\nVasiliy Kulikov for reporting CVE-2011-1079, CVE-2011-1019, and CVE-2011-1080; Dan Rosenberg for reporting CVE-2010-4565 and CVE-2011-0711; Rafael Dominguez Vega for reporting CVE-2011-0712; and Kees Cook for reporting CVE-2011-0726.\n\nThis update also fixes various bugs and adds an enhancement.\nDocumentation for these changes will be available shortly from the Technical Notes document linked to in the References section.\n\nUsers should upgrade to these updated packages, which contain backported patches to resolve these issues, and fix the bugs and add the enhancement noted in the Technical Notes. The system must be rebooted for this update to take effect.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2011-05-11T00:00:00", "type": "nessus", "title": "RHEL 6 : kernel (RHSA-2011:0498)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4250", "CVE-2010-4565", "CVE-2010-4649", "CVE-2011-0006", "CVE-2011-0711", "CVE-2011-0712", "CVE-2011-0726", "CVE-2011-1013", "CVE-2011-1016", "CVE-2011-1019", "CVE-2011-1044", "CVE-2011-1079", "CVE-2011-1080", "CVE-2011-1093", "CVE-2011-1573"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:kernel", "p-cpe:/a:redhat:enterprise_linux:kernel-debug", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-i686", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:redhat:enterprise_linux:kernel-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-doc", "p-cpe:/a:redhat:enterprise_linux:kernel-firmware", "p-cpe:/a:redhat:enterprise_linux:kernel-headers", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel", "p-cpe:/a:redhat:enterprise_linux:perf", "cpe:/o:redhat:enterprise_linux:6", "cpe:/o:redhat:enterprise_linux:6.0"], "id": "REDHAT-RHSA-2011-0498.NASL", "href": "https://www.tenable.com/plugins/nessus/53867", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2011:0498. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(53867);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2010-4250\", \"CVE-2010-4565\", \"CVE-2010-4649\", \"CVE-2011-0006\", \"CVE-2011-0711\", \"CVE-2011-0712\", \"CVE-2011-0726\", \"CVE-2011-1013\", \"CVE-2011-1016\", \"CVE-2011-1019\", \"CVE-2011-1044\", \"CVE-2011-1079\", \"CVE-2011-1080\", \"CVE-2011-1093\", \"CVE-2011-1573\");\n script_bugtraq_id(46417, 46419, 46488, 46557, 46616, 46793, 47308, 47639, 47792);\n script_xref(name:\"RHSA\", value:\"2011:0498\");\n\n script_name(english:\"RHEL 6 : kernel (RHSA-2011:0498)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated kernel packages that fix several security issues, various\nbugs, and add an enhancement are now available for Red Hat Enterprise\nLinux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity fixes :\n\n* An integer overflow flaw in ib_uverbs_poll_cq() could allow a local,\nunprivileged user to cause a denial of service or escalate their\nprivileges. (CVE-2010-4649, Important)\n\n* An integer signedness flaw in drm_modeset_ctl() could allow a local,\nunprivileged user to cause a denial of service or escalate their\nprivileges. (CVE-2011-1013, Important)\n\n* The Radeon GPU drivers in the Linux kernel were missing sanity\nchecks for the Anti Aliasing (AA) resolve register values which could\nallow a local, unprivileged user to cause a denial of service or\nescalate their privileges on systems using a graphics card from the\nATI Radeon R300, R400, or R500 family of cards. (CVE-2011-1016,\nImportant)\n\n* A flaw in dccp_rcv_state_process() could allow a remote attacker to\ncause a denial of service, even when the socket was already closed.\n(CVE-2011-1093, Important)\n\n* A flaw in the Linux kernel's Stream Control Transmission Protocol\n(SCTP) implementation could allow a remote attacker to cause a denial\nof service if the sysctl 'net.sctp.addip_enable' and 'auth_enable'\nvariables were turned on (they are off by default). (CVE-2011-1573,\nImportant)\n\n* A memory leak in the inotify_init() system call. In some cases, it\ncould leak a group, which could allow a local, unprivileged user to\neventually cause a denial of service. (CVE-2010-4250, Moderate)\n\n* A missing validation of a null-terminated string data structure\nelement in bnep_sock_ioctl() could allow a local user to cause an\ninformation leak or a denial of service. (CVE-2011-1079, Moderate)\n\n* An information leak in bcm_connect() in the Controller Area Network\n(CAN) Broadcast Manager implementation could allow a local,\nunprivileged user to leak kernel mode addresses in\n'/proc/net/can-bcm'. (CVE-2010-4565, Low)\n\n* A flaw was found in the Linux kernel's Integrity Measurement\nArchitecture (IMA) implementation. When SELinux was disabled, adding\nan IMA rule which was supposed to be processed by SELinux would cause\nima_match_rules() to always succeed, ignoring any remaining rules.\n(CVE-2011-0006, Low)\n\n* A missing initialization flaw in the XFS file system implementation\ncould lead to an information leak. (CVE-2011-0711, Low)\n\n* Buffer overflow flaws in snd_usb_caiaq_audio_init() and\nsnd_usb_caiaq_midi_init() could allow a local, unprivileged user with\naccess to a Native Instruments USB audio device to cause a denial of\nservice or escalate their privileges. (CVE-2011-0712, Low)\n\n* The start_code and end_code values in '/proc/[pid]/stat' were not\nprotected. In certain scenarios, this flaw could be used to defeat\nAddress Space Layout Randomization (ASLR). (CVE-2011-0726, Low)\n\n* A flaw in dev_load() could allow a local user who has the\nCAP_NET_ADMIN capability to load arbitrary modules from\n'/lib/modules/', instead of only netdev modules. (CVE-2011-1019, Low)\n\n* A flaw in ib_uverbs_poll_cq() could allow a local, unprivileged user\nto cause an information leak. (CVE-2011-1044, Low)\n\n* A missing validation of a null-terminated string data structure\nelement in do_replace() could allow a local user who has the\nCAP_NET_ADMIN capability to cause an information leak. (CVE-2011-1080,\nLow)\n\nRed Hat would like to thank Vegard Nossum for reporting CVE-2010-4250;\nVasiliy Kulikov for reporting CVE-2011-1079, CVE-2011-1019, and\nCVE-2011-1080; Dan Rosenberg for reporting CVE-2010-4565 and\nCVE-2011-0711; Rafael Dominguez Vega for reporting CVE-2011-0712; and\nKees Cook for reporting CVE-2011-0726.\n\nThis update also fixes various bugs and adds an enhancement.\nDocumentation for these changes will be available shortly from the\nTechnical Notes document linked to in the References section.\n\nUsers should upgrade to these updated packages, which contain\nbackported patches to resolve these issues, and fix the bugs and add\nthe enhancement noted in the Technical Notes. The system must be\nrebooted for this update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-4250\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-4565\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-4649\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-0006\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-0711\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-0712\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-0726\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-1013\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-1016\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-1019\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-1044\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-1079\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-1080\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-1093\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-1573\"\n );\n # http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?056c0c27\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2011:0498\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-i686\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/12/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/05/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/05/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2010-4250\", \"CVE-2010-4565\", \"CVE-2010-4649\", \"CVE-2011-0006\", \"CVE-2011-0711\", \"CVE-2011-0712\", \"CVE-2011-0726\", \"CVE-2011-1013\", \"CVE-2011-1016\", \"CVE-2011-1019\", \"CVE-2011-1044\", \"CVE-2011-1079\", \"CVE-2011-1080\", \"CVE-2011-1093\", \"CVE-2011-1573\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for RHSA-2011:0498\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2011:0498\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"kernel-2.6.32-71.29.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-2.6.32-71.29.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-2.6.32-71.29.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"kernel-debug-2.6.32-71.29.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-debug-2.6.32-71.29.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-debug-2.6.32-71.29.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"kernel-debug-debuginfo-2.6.32-71.29.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-debug-debuginfo-2.6.32-71.29.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-debug-debuginfo-2.6.32-71.29.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"kernel-debug-devel-2.6.32-71.29.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-debug-devel-2.6.32-71.29.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-debug-devel-2.6.32-71.29.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"kernel-debuginfo-2.6.32-71.29.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-debuginfo-2.6.32-71.29.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-debuginfo-2.6.32-71.29.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"kernel-debuginfo-common-i686-2.6.32-71.29.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-debuginfo-common-s390x-2.6.32-71.29.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-2.6.32-71.29.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"kernel-devel-2.6.32-71.29.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-devel-2.6.32-71.29.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-devel-2.6.32-71.29.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"kernel-doc-2.6.32-71.29.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"kernel-firmware-2.6.32-71.29.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"kernel-headers-2.6.32-71.29.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-headers-2.6.32-71.29.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-headers-2.6.32-71.29.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-kdump-2.6.32-71.29.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-kdump-debuginfo-2.6.32-71.29.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-kdump-devel-2.6.32-71.29.1.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"perf-2.6.32-71.29.1.el6\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-debug / kernel-debug-debuginfo / kernel-debug-devel / etc\");\n }\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-01-11T14:26:19", "description": "Security fixes :\n\n - An integer overflow flaw in ib_uverbs_poll_cq() could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2010-4649, Important)\n\n - An integer signedness flaw in drm_modeset_ctl() could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2011-1013, Important)\n\n - The Radeon GPU drivers in the Linux kernel were missing sanity checks for the Anti Aliasing (AA) resolve register values which could allow a local, unprivileged user to cause a denial of service or escalate their privileges on systems using a graphics card from the ATI Radeon R300, R400, or R500 family of cards.\n (CVE-2011-1016, Important)\n\n - A flaw in dccp_rcv_state_process() could allow a remote attacker to cause a denial of service, even when the socket was already closed. (CVE-2011-1093, Important)\n\n - A flaw in the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation could allow a remote attacker to cause a denial of service if the sysctl 'net.sctp.addip_enable' and 'auth_enable' variables were turned on (they are off by default). (CVE-2011-1573, Important)\n\n - A memory leak in the inotify_init() system call. In some cases, it could leak a group, which could allow a local, unprivileged user to eventually cause a denial of service. (CVE-2010-4250, Moderate)\n\n - A missing validation of a null-terminated string data structure element in bnep_sock_ioctl() could allow a local user to cause an information leak or a denial of service. (CVE-2011-1079, Moderate)\n\n - An information leak in bcm_connect() in the Controller Area Network (CAN) Broadcast Manager implementation could allow a local, unprivileged user to leak kernel mode addresses in '/proc/net/can-bcm'. (CVE-2010-4565, Low)\n\n - A flaw was found in the Linux kernel's Integrity Measurement Architecture (IMA) implementation. When SELinux was disabled, adding an IMA rule which was supposed to be processed by SELinux would cause ima_match_rules() to always succeed, ignoring any remaining rules. (CVE-2011-0006, Low)\n\n - A missing initialization flaw in the XFS file system implementation could lead to an information leak.\n (CVE-2011-0711, Low)\n\n - Buffer overflow flaws in snd_usb_caiaq_audio_init() and snd_usb_caiaq_midi_init() could allow a local, unprivileged user with access to a Native Instruments USB audio device to cause a denial of service or escalate their privileges. (CVE-2011-0712, Low)\n\n - The start_code and end_code values in '/proc/[pid]/stat' were not protected. In certain scenarios, this flaw could be used to defeat Address Space Layout Randomization (ASLR). (CVE-2011-0726, Low)\n\n - A flaw in dev_load() could allow a local user who has the CAP_NET_ADMIN capability to load arbitrary modules from '/lib/modules/', instead of only netdev modules.\n (CVE-2011-1019, Low)\n\n - A flaw in ib_uverbs_poll_cq() could allow a local, unprivileged user to cause an information leak.\n (CVE-2011-1044, Low)\n\n - A missing validation of a null-terminated string data structure element in do_replace() could allow a local user who has the CAP_NET_ADMIN capability to cause an information leak. (CVE-2011-1080, Low)\n\nThis update also fixes various bugs.\n\nThis update also adds an enhancement.\n\n - This update provides VLAN null tagging support (VLAN ID 0 can be used in tags).\n\nThe system must be rebooted for this update to take effect.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2012-08-01T00:00:00", "type": "nessus", "title": "Scientific Linux Security Update : kernel on SL6.x i386/x86_64", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4250", "CVE-2010-4565", "CVE-2010-4649", "CVE-2011-0006", "CVE-2011-0711", "CVE-2011-0712", "CVE-2011-0726", "CVE-2011-1013", "CVE-2011-1016", "CVE-2011-1019", "CVE-2011-1044", "CVE-2011-1079", "CVE-2011-1080", "CVE-2011-1093", "CVE-2011-1573"], "modified": "2021-01-14T00:00:00", "cpe": ["x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20110510_KERNEL_ON_SL6_X.NASL", "href": "https://www.tenable.com/plugins/nessus/61035", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(61035);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2010-4250\", \"CVE-2010-4565\", \"CVE-2010-4649\", \"CVE-2011-0006\", \"CVE-2011-0711\", \"CVE-2011-0712\", \"CVE-2011-0726\", \"CVE-2011-1013\", \"CVE-2011-1016\", \"CVE-2011-1019\", \"CVE-2011-1044\", \"CVE-2011-1079\", \"CVE-2011-1080\", \"CVE-2011-1093\", \"CVE-2011-1573\");\n\n script_name(english:\"Scientific Linux Security Update : kernel on SL6.x i386/x86_64\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fixes :\n\n - An integer overflow flaw in ib_uverbs_poll_cq() could\n allow a local, unprivileged user to cause a denial of\n service or escalate their privileges. (CVE-2010-4649,\n Important)\n\n - An integer signedness flaw in drm_modeset_ctl() could\n allow a local, unprivileged user to cause a denial of\n service or escalate their privileges. (CVE-2011-1013,\n Important)\n\n - The Radeon GPU drivers in the Linux kernel were missing\n sanity checks for the Anti Aliasing (AA) resolve\n register values which could allow a local, unprivileged\n user to cause a denial of service or escalate their\n privileges on systems using a graphics card from the ATI\n Radeon R300, R400, or R500 family of cards.\n (CVE-2011-1016, Important)\n\n - A flaw in dccp_rcv_state_process() could allow a remote\n attacker to cause a denial of service, even when the\n socket was already closed. (CVE-2011-1093, Important)\n\n - A flaw in the Linux kernel's Stream Control Transmission\n Protocol (SCTP) implementation could allow a remote\n attacker to cause a denial of service if the sysctl\n 'net.sctp.addip_enable' and 'auth_enable' variables were\n turned on (they are off by default). (CVE-2011-1573,\n Important)\n\n - A memory leak in the inotify_init() system call. In some\n cases, it could leak a group, which could allow a local,\n unprivileged user to eventually cause a denial of\n service. (CVE-2010-4250, Moderate)\n\n - A missing validation of a null-terminated string data\n structure element in bnep_sock_ioctl() could allow a\n local user to cause an information leak or a denial of\n service. (CVE-2011-1079, Moderate)\n\n - An information leak in bcm_connect() in the Controller\n Area Network (CAN) Broadcast Manager implementation\n could allow a local, unprivileged user to leak kernel\n mode addresses in '/proc/net/can-bcm'. (CVE-2010-4565,\n Low)\n\n - A flaw was found in the Linux kernel's Integrity\n Measurement Architecture (IMA) implementation. When\n SELinux was disabled, adding an IMA rule which was\n supposed to be processed by SELinux would cause\n ima_match_rules() to always succeed, ignoring any\n remaining rules. (CVE-2011-0006, Low)\n\n - A missing initialization flaw in the XFS file system\n implementation could lead to an information leak.\n (CVE-2011-0711, Low)\n\n - Buffer overflow flaws in snd_usb_caiaq_audio_init() and\n snd_usb_caiaq_midi_init() could allow a local,\n unprivileged user with access to a Native Instruments\n USB audio device to cause a denial of service or\n escalate their privileges. (CVE-2011-0712, Low)\n\n - The start_code and end_code values in '/proc/[pid]/stat'\n were not protected. In certain scenarios, this flaw\n could be used to defeat Address Space Layout\n Randomization (ASLR). (CVE-2011-0726, Low)\n\n - A flaw in dev_load() could allow a local user who has\n the CAP_NET_ADMIN capability to load arbitrary modules\n from '/lib/modules/', instead of only netdev modules.\n (CVE-2011-1019, Low)\n\n - A flaw in ib_uverbs_poll_cq() could allow a local,\n unprivileged user to cause an information leak.\n (CVE-2011-1044, Low)\n\n - A missing validation of a null-terminated string data\n structure element in do_replace() could allow a local\n user who has the CAP_NET_ADMIN capability to cause an\n information leak. (CVE-2011-1080, Low)\n\nThis update also fixes various bugs.\n\nThis update also adds an enhancement.\n\n - This update provides VLAN null tagging support (VLAN ID\n 0 can be used in tags).\n\nThe system must be rebooted for this update to take effect.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1105&L=scientific-linux-errata&T=0&P=857\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?927fa090\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/12/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/05/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/08/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL6\", reference:\"kernel-2.6.32-71.29.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-debug-2.6.32-71.29.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-debug-devel-2.6.32-71.29.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-devel-2.6.32-71.29.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-doc-2.6.32-71.29.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-firmware-2.6.32-71.29.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-headers-2.6.32-71.29.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"perf-2.6.32-71.29.1.el6\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-01-11T14:48:15", "description": "The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2011-0498 advisory.\n\n - Memory leak in the inotify_init1 function in fs/notify/inotify/inotify_user.c in the Linux kernel before 2.6.37 allows local users to cause a denial of service (memory consumption) via vectors involving failed attempts to create files. (CVE-2010-4250)\n\n - The bcm_connect function in net/can/bcm.c (aka the Broadcast Manager) in the Controller Area Network (CAN) implementation in the Linux kernel 2.6.36 and earlier creates a publicly accessible file with a filename containing a kernel memory address, which allows local users to obtain potentially sensitive information about kernel memory use by listing this filename. (CVE-2010-4565)\n\n - Integer overflow in the ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel before 2.6.37 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a large value of a certain structure member. (CVE-2010-4649)\n\n - The ima_lsm_rule_init function in security/integrity/ima/ima_policy.c in the Linux kernel before 2.6.37, when the Linux Security Modules (LSM) framework is disabled, allows local users to bypass Integrity Measurement Architecture (IMA) rules in opportunistic circumstances by leveraging an administrator's addition of an IMA rule for LSM. (CVE-2011-0006)\n\n - The xfs_fs_geometry function in fs/xfs/xfs_fsops.c in the Linux kernel before 2.6.38-rc6-git3 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an FSGEOMETRY_V1 ioctl call. (CVE-2011-0711)\n\n - Multiple buffer overflows in the caiaq Native Instruments USB audio functionality in the Linux kernel before 2.6.38-rc4-next-20110215 might allow attackers to cause a denial of service or possibly have unspecified other impact via a long USB device name, related to (1) the snd_usb_caiaq_audio_init function in sound/usb/caiaq/audio.c and (2) the snd_usb_caiaq_midi_init function in sound/usb/caiaq/midi.c.\n (CVE-2011-0712)\n\n - The do_task_stat function in fs/proc/array.c in the Linux kernel before 2.6.39-rc1 does not perform an expected uid check, which makes it easier for local users to defeat the ASLR protection mechanism by reading the start_code and end_code fields in the /proc/#####/stat file for a process executing a PIE binary. (CVE-2011-0726)\n\n - Integer signedness error in the drm_modeset_ctl function in (1) drivers/gpu/drm/drm_irq.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 2.6.38 and (2) sys/dev/pci/drm/drm_irq.c in the kernel in OpenBSD before 4.9 allows local users to trigger out-of-bounds write operations, and consequently cause a denial of service (system crash) or possibly have unspecified other impact, via a crafted num_crtcs (aka vb_num) structure member in an ioctl argument. (CVE-2011-1013)\n\n - The Radeon GPU drivers in the Linux kernel before 2.6.38-rc5 do not properly validate data related to the AA resolve registers, which allows local users to write to arbitrary memory locations associated with (1) Video RAM (aka VRAM) or (2) the Graphics Translation Table (GTT) via crafted values. (CVE-2011-1016)\n\n - The dev_load function in net/core/dev.c in the Linux kernel before 2.6.38 allows local users to bypass an intended CAP_SYS_MODULE capability requirement and load arbitrary modules by leveraging the CAP_NET_ADMIN capability. (CVE-2011-1019)\n\n - The ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel before 2.6.37 does not initialize a certain response buffer, which allows local users to obtain potentially sensitive information from kernel memory via vectors that cause this buffer to be only partially filled, a different vulnerability than CVE-2010-4649. (CVE-2011-1044)\n\n - The bnep_sock_ioctl function in net/bluetooth/bnep/sock.c in the Linux kernel before 2.6.39 does not ensure that a certain device field ends with a '\\0' character, which allows local users to obtain potentially sensitive information from kernel stack memory, or cause a denial of service (BUG and system crash), via a BNEPCONNADD command. (CVE-2011-1079)\n\n - The do_replace function in net/bridge/netfilter/ebtables.c in the Linux kernel before 2.6.39 does not ensure that a certain name field ends with a '\\0' character, which allows local users to obtain potentially sensitive information from kernel stack memory by leveraging the CAP_NET_ADMIN capability to replace a table, and then reading a modprobe command line. (CVE-2011-1080)\n\n - The dccp_rcv_state_process function in net/dccp/input.c in the Datagram Congestion Control Protocol (DCCP) implementation in the Linux kernel before 2.6.38 does not properly handle packets for a CLOSED endpoint, which allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by sending a DCCP-Close packet followed by a DCCP-Reset packet. (CVE-2011-1093)\n\n - net/sctp/sm_make_chunk.c in the Linux kernel before 2.6.34, when addip_enable and auth_enable are used, does not consider the amount of zero padding during calculation of chunk lengths for (1) INIT and (2) INIT ACK chunks, which allows remote attackers to cause a denial of service (OOPS) via crafted packet data.\n (CVE-2011-1573)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2013-07-12T00:00:00", "type": "nessus", "title": "Oracle Linux 6 : kernel (ELSA-2011-0498)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4250", "CVE-2010-4565", "CVE-2010-4649", "CVE-2011-0006", "CVE-2011-0711", "CVE-2011-0712", "CVE-2011-0726", "CVE-2011-1013", "CVE-2011-1016", "CVE-2011-1019", "CVE-2011-1044", "CVE-2011-1079", "CVE-2011-1080", "CVE-2011-1093", "CVE-2011-1573"], "modified": "2021-09-08T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:kernel", "p-cpe:/a:oracle:linux:kernel-debug", "p-cpe:/a:oracle:linux:kernel-debug-devel", "p-cpe:/a:oracle:linux:kernel-devel", "p-cpe:/a:oracle:linux:kernel-firmware", "p-cpe:/a:oracle:linux:kernel-headers", "p-cpe:/a:oracle:linux:perf"], "id": "ORACLELINUX_ELSA-2011-0498.NASL", "href": "https://www.tenable.com/plugins/nessus/68273", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2011-0498.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(68273);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/09/08\");\n\n script_cve_id(\n \"CVE-2010-4250\",\n \"CVE-2010-4565\",\n \"CVE-2010-4649\",\n \"CVE-2011-0006\",\n \"CVE-2011-0711\",\n \"CVE-2011-0712\",\n \"CVE-2011-0726\",\n \"CVE-2011-1013\",\n \"CVE-2011-1016\",\n \"CVE-2011-1019\",\n \"CVE-2011-1044\",\n \"CVE-2011-1079\",\n \"CVE-2011-1080\",\n \"CVE-2011-1093\",\n \"CVE-2011-1573\"\n );\n script_bugtraq_id(\n 46417,\n 46419,\n 46488,\n 46557,\n 46616,\n 46793,\n 47308,\n 47639,\n 47792\n );\n script_xref(name:\"RHSA\", value:\"2011:0498\");\n\n script_name(english:\"Oracle Linux 6 : kernel (ELSA-2011-0498)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nELSA-2011-0498 advisory.\n\n - Memory leak in the inotify_init1 function in fs/notify/inotify/inotify_user.c in the Linux kernel before\n 2.6.37 allows local users to cause a denial of service (memory consumption) via vectors involving failed\n attempts to create files. (CVE-2010-4250)\n\n - The bcm_connect function in net/can/bcm.c (aka the Broadcast Manager) in the Controller Area Network (CAN)\n implementation in the Linux kernel 2.6.36 and earlier creates a publicly accessible file with a filename\n containing a kernel memory address, which allows local users to obtain potentially sensitive information\n about kernel memory use by listing this filename. (CVE-2010-4565)\n\n - Integer overflow in the ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux\n kernel before 2.6.37 allows local users to cause a denial of service (memory corruption) or possibly have\n unspecified other impact via a large value of a certain structure member. (CVE-2010-4649)\n\n - The ima_lsm_rule_init function in security/integrity/ima/ima_policy.c in the Linux kernel before 2.6.37,\n when the Linux Security Modules (LSM) framework is disabled, allows local users to bypass Integrity\n Measurement Architecture (IMA) rules in opportunistic circumstances by leveraging an administrator's\n addition of an IMA rule for LSM. (CVE-2011-0006)\n\n - The xfs_fs_geometry function in fs/xfs/xfs_fsops.c in the Linux kernel before 2.6.38-rc6-git3 does not\n initialize a certain structure member, which allows local users to obtain potentially sensitive\n information from kernel stack memory via an FSGEOMETRY_V1 ioctl call. (CVE-2011-0711)\n\n - Multiple buffer overflows in the caiaq Native Instruments USB audio functionality in the Linux kernel\n before 2.6.38-rc4-next-20110215 might allow attackers to cause a denial of service or possibly have\n unspecified other impact via a long USB device name, related to (1) the snd_usb_caiaq_audio_init function\n in sound/usb/caiaq/audio.c and (2) the snd_usb_caiaq_midi_init function in sound/usb/caiaq/midi.c.\n (CVE-2011-0712)\n\n - The do_task_stat function in fs/proc/array.c in the Linux kernel before 2.6.39-rc1 does not perform an\n expected uid check, which makes it easier for local users to defeat the ASLR protection mechanism by\n reading the start_code and end_code fields in the /proc/#####/stat file for a process executing a PIE\n binary. (CVE-2011-0726)\n\n - Integer signedness error in the drm_modeset_ctl function in (1) drivers/gpu/drm/drm_irq.c in the Direct\n Rendering Manager (DRM) subsystem in the Linux kernel before 2.6.38 and (2) sys/dev/pci/drm/drm_irq.c in\n the kernel in OpenBSD before 4.9 allows local users to trigger out-of-bounds write operations, and\n consequently cause a denial of service (system crash) or possibly have unspecified other impact, via a\n crafted num_crtcs (aka vb_num) structure member in an ioctl argument. (CVE-2011-1013)\n\n - The Radeon GPU drivers in the Linux kernel before 2.6.38-rc5 do not properly validate data related to the\n AA resolve registers, which allows local users to write to arbitrary memory locations associated with (1)\n Video RAM (aka VRAM) or (2) the Graphics Translation Table (GTT) via crafted values. (CVE-2011-1016)\n\n - The dev_load function in net/core/dev.c in the Linux kernel before 2.6.38 allows local users to bypass an\n intended CAP_SYS_MODULE capability requirement and load arbitrary modules by leveraging the CAP_NET_ADMIN\n capability. (CVE-2011-1019)\n\n - The ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel before 2.6.37\n does not initialize a certain response buffer, which allows local users to obtain potentially sensitive\n information from kernel memory via vectors that cause this buffer to be only partially filled, a different\n vulnerability than CVE-2010-4649. (CVE-2011-1044)\n\n - The bnep_sock_ioctl function in net/bluetooth/bnep/sock.c in the Linux kernel before 2.6.39 does not\n ensure that a certain device field ends with a '\\0' character, which allows local users to obtain\n potentially sensitive information from kernel stack memory, or cause a denial of service (BUG and system\n crash), via a BNEPCONNADD command. (CVE-2011-1079)\n\n - The do_replace function in net/bridge/netfilter/ebtables.c in the Linux kernel before 2.6.39 does not\n ensure that a certain name field ends with a '\\0' character, which allows local users to obtain\n potentially sensitive information from kernel stack memory by leveraging the CAP_NET_ADMIN capability to\n replace a table, and then reading a modprobe command line. (CVE-2011-1080)\n\n - The dccp_rcv_state_process function in net/dccp/input.c in the Datagram Congestion Control Protocol (DCCP)\n implementation in the Linux kernel before 2.6.38 does not properly handle packets for a CLOSED endpoint,\n which allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by sending\n a DCCP-Close packet followed by a DCCP-Reset packet. (CVE-2011-1093)\n\n - net/sctp/sm_make_chunk.c in the Linux kernel before 2.6.34, when addip_enable and auth_enable are used,\n does not consider the amount of zero padding during calculation of chunk lengths for (1) INIT and (2) INIT\n ACK chunks, which allows remote attackers to cause a denial of service (OOPS) via crafted packet data.\n (CVE-2011-1573)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2011-0498.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2011-1013\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/11/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/05/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:perf\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 6', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\n\nvar machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');\nif (machine_uptrack_level)\n{\n var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:\"\\.(x86_64|i[3-6]86|aarch64)$\", replace:'');\n var fixed_uptrack_levels = ['2.6.32-71.29.1.el6'];\n foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {\n if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ELSA-2011-0498');\n }\n }\n __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\\n\\n';\n}\n\nvar kernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nvar expected_kernel_major_minor = '2.6';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\nvar pkgs = [\n {'reference':'kernel-2.6.32-71.29.1.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-2.6.32'},\n {'reference':'kernel-2.6.32-71.29.1.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-2.6.32'},\n {'reference':'kernel-debug-2.6.32-71.29.1.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-debug-2.6.32'},\n {'reference':'kernel-debug-2.6.32-71.29.1.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-debug-2.6.32'},\n {'reference':'kernel-debug-devel-2.6.32-71.29.1.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-debug-devel-2.6.32'},\n {'reference':'kernel-debug-devel-2.6.32-71.29.1.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-debug-devel-2.6.32'},\n {'reference':'kernel-devel-2.6.32-71.29.1.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-devel-2.6.32'},\n {'reference':'kernel-devel-2.6.32-71.29.1.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-devel-2.6.32'},\n {'reference':'kernel-firmware-2.6.32-71.29.1.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-firmware-2.6.32'},\n {'reference':'kernel-headers-2.6.32-71.29.1.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-headers-2.6.32'},\n {'reference':'kernel-headers-2.6.32-71.29.1.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-headers-2.6.32'},\n {'reference':'perf-2.6.32-71.29.1.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release) {\n if (exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel / kernel-debug / kernel-debug-devel / etc');\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-01-11T14:48:57", "description": "The remote Oracle Linux 5 / 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2011-2015 advisory.\n\n - The bcm_connect function in net/can/bcm.c (aka the Broadcast Manager) in the Controller Area Network (CAN) implementation in the Linux kernel 2.6.36 and earlier creates a publicly accessible file with a filename containing a kernel memory address, which allows local users to obtain potentially sensitive information about kernel memory use by listing this filename. (CVE-2010-4565)\n\n - Integer overflow in the ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel before 2.6.37 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a large value of a certain structure member. (CVE-2010-4649)\n\n - The ima_lsm_rule_init function in security/integrity/ima/ima_policy.c in the Linux kernel before 2.6.37, when the Linux Security Modules (LSM) framework is disabled, allows local users to bypass Integrity Measurement Architecture (IMA) rules in opportunistic circumstances by leveraging an administrator's addition of an IMA rule for LSM. (CVE-2011-0006)\n\n - The xfs_fs_geometry function in fs/xfs/xfs_fsops.c in the Linux kernel before 2.6.38-rc6-git3 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an FSGEOMETRY_V1 ioctl call. (CVE-2011-0711)\n\n - Multiple buffer overflows in the caiaq Native Instruments USB audio functionality in the Linux kernel before 2.6.38-rc4-next-20110215 might allow attackers to cause a denial of service or possibly have unspecified other impact via a long USB device name, related to (1) the snd_usb_caiaq_audio_init function in sound/usb/caiaq/audio.c and (2) the snd_usb_caiaq_midi_init function in sound/usb/caiaq/midi.c.\n (CVE-2011-0712)\n\n - The do_task_stat function in fs/proc/array.c in the Linux kernel before 2.6.39-rc1 does not perform an expected uid check, which makes it easier for local users to defeat the ASLR protection mechanism by reading the start_code and end_code fields in the /proc/#####/stat file for a process executing a PIE binary. (CVE-2011-0726)\n\n - Integer signedness error in the drm_modeset_ctl function in (1) drivers/gpu/drm/drm_irq.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 2.6.38 and (2) sys/dev/pci/drm/drm_irq.c in the kernel in OpenBSD before 4.9 allows local users to trigger out-of-bounds write operations, and consequently cause a denial of service (system crash) or possibly have unspecified other impact, via a crafted num_crtcs (aka vb_num) structure member in an ioctl argument. (CVE-2011-1013)\n\n - The Radeon GPU drivers in the Linux kernel before 2.6.38-rc5 do not properly validate data related to the AA resolve registers, which allows local users to write to arbitrary memory locations associated with (1) Video RAM (aka VRAM) or (2) the Graphics Translation Table (GTT) via crafted values. (CVE-2011-1016)\n\n - The dev_load function in net/core/dev.c in the Linux kernel before 2.6.38 allows local users to bypass an intended CAP_SYS_MODULE capability requirement and load arbitrary modules by leveraging the CAP_NET_ADMIN capability. (CVE-2011-1019)\n\n - The ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel before 2.6.37 does not initialize a certain response buffer, which allows local users to obtain potentially sensitive information from kernel memory via vectors that cause this buffer to be only partially filled, a different vulnerability than CVE-2010-4649. (CVE-2011-1044)\n\n - The bnep_sock_ioctl function in net/bluetooth/bnep/sock.c in the Linux kernel before 2.6.39 does not ensure that a certain device field ends with a '\\0' character, which allows local users to obtain potentially sensitive information from kernel stack memory, or cause a denial of service (BUG and system crash), via a BNEPCONNADD command. (CVE-2011-1079)\n\n - The do_replace function in net/bridge/netfilter/ebtables.c in the Linux kernel before 2.6.39 does not ensure that a certain name field ends with a '\\0' character, which allows local users to obtain potentially sensitive information from kernel stack memory by leveraging the CAP_NET_ADMIN capability to replace a table, and then reading a modprobe command line. (CVE-2011-1080)\n\n - The dccp_rcv_state_process function in net/dccp/input.c in the Datagram Congestion Control Protocol (DCCP) implementation in the Linux kernel before 2.6.38 does not properly handle packets for a CLOSED endpoint, which allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by sending a DCCP-Close packet followed by a DCCP-Reset packet. (CVE-2011-1093)\n\n - net/sctp/sm_make_chunk.c in the Linux kernel before 2.6.34, when addip_enable and auth_enable are used, does not consider the amount of zero padding during calculation of chunk lengths for (1) INIT and (2) INIT ACK chunks, which allows remote attackers to cause a denial of service (OOPS) via crafted packet data.\n (CVE-2011-1573)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2013-07-12T00:00:00", "type": "nessus", "title": "Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2011-2015)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4565", "CVE-2010-4649", "CVE-2011-0006", "CVE-2011-0711", "CVE-2011-0712", "CVE-2011-0726", "CVE-2011-1013", "CVE-2011-1016", "CVE-2011-1019", "CVE-2011-1044", "CVE-2011-1079", "CVE-2011-1080", "CVE-2011-1093", "CVE-2011-1573"], "modified": "2021-09-08T00:00:00", "cpe": ["cpe:/o:oracle:linux:5", "cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:kernel-uek", "p-cpe:/a:oracle:linux:kernel-uek-debug", "p-cpe:/a:oracle:linux:kernel-uek-debug-devel", "p-cpe:/a:oracle:linux:kernel-uek-devel", "p-cpe:/a:oracle:linux:kernel-uek-doc", "p-cpe:/a:oracle:linux:kernel-uek-firmware", "p-cpe:/a:oracle:linux:kernel-uek-headers", "p-cpe:/a:oracle:linux:ofa-2.6.32-100.28.15.el5", "p-cpe:/a:oracle:linux:ofa-2.6.32-100.28.15.el5debug"], "id": "ORACLELINUX_ELSA-2011-2015.NASL", "href": "https://www.tenable.com/plugins/nessus/68416", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2011-2015.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(68416);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/09/08\");\n\n script_cve_id(\n \"CVE-2010-4565\",\n \"CVE-2010-4649\",\n \"CVE-2011-0006\",\n \"CVE-2011-0711\",\n \"CVE-2011-0712\",\n \"CVE-2011-0726\",\n \"CVE-2011-1013\",\n \"CVE-2011-1016\",\n \"CVE-2011-1019\",\n \"CVE-2011-1044\",\n \"CVE-2011-1080\",\n \"CVE-2011-1093\",\n \"CVE-2011-1573\"\n );\n\n script_name(english:\"Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2011-2015)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 5 / 6 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe ELSA-2011-2015 advisory.\n\n - The bcm_connect function in net/can/bcm.c (aka the Broadcast Manager) in the Controller Area Network (CAN)\n implementation in the Linux kernel 2.6.36 and earlier creates a publicly accessible file with a filename\n containing a kernel memory address, which allows local users to obtain potentially sensitive information\n about kernel memory use by listing this filename. (CVE-2010-4565)\n\n - Integer overflow in the ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux\n kernel before 2.6.37 allows local users to cause a denial of service (memory corruption) or possibly have\n unspecified other impact via a large value of a certain structure member. (CVE-2010-4649)\n\n - The ima_lsm_rule_init function in security/integrity/ima/ima_policy.c in the Linux kernel before 2.6.37,\n when the Linux Security Modules (LSM) framework is disabled, allows local users to bypass Integrity\n Measurement Architecture (IMA) rules in opportunistic circumstances by leveraging an administrator's\n addition of an IMA rule for LSM. (CVE-2011-0006)\n\n - The xfs_fs_geometry function in fs/xfs/xfs_fsops.c in the Linux kernel before 2.6.38-rc6-git3 does not\n initialize a certain structure member, which allows local users to obtain potentially sensitive\n information from kernel stack memory via an FSGEOMETRY_V1 ioctl call. (CVE-2011-0711)\n\n - Multiple buffer overflows in the caiaq Native Instruments USB audio functionality in the Linux kernel\n before 2.6.38-rc4-next-20110215 might allow attackers to cause a denial of service or possibly have\n unspecified other impact via a long USB device name, related to (1) the snd_usb_caiaq_audio_init function\n in sound/usb/caiaq/audio.c and (2) the snd_usb_caiaq_midi_init function in sound/usb/caiaq/midi.c.\n (CVE-2011-0712)\n\n - The do_task_stat function in fs/proc/array.c in the Linux kernel before 2.6.39-rc1 does not perform an\n expected uid check, which makes it easier for local users to defeat the ASLR protection mechanism by\n reading the start_code and end_code fields in the /proc/#####/stat file for a process executing a PIE\n binary. (CVE-2011-0726)\n\n - Integer signedness error in the drm_modeset_ctl function in (1) drivers/gpu/drm/drm_irq.c in the Direct\n Rendering Manager (DRM) subsystem in the Linux kernel before 2.6.38 and (2) sys/dev/pci/drm/drm_irq.c in\n the kernel in OpenBSD before 4.9 allows local users to trigger out-of-bounds write operations, and\n consequently cause a denial of service (system crash) or possibly have unspecified other impact, via a\n crafted num_crtcs (aka vb_num) structure member in an ioctl argument. (CVE-2011-1013)\n\n - The Radeon GPU drivers in the Linux kernel before 2.6.38-rc5 do not properly validate data related to the\n AA resolve registers, which allows local users to write to arbitrary memory locations associated with (1)\n Video RAM (aka VRAM) or (2) the Graphics Translation Table (GTT) via crafted values. (CVE-2011-1016)\n\n - The dev_load function in net/core/dev.c in the Linux kernel before 2.6.38 allows local users to bypass an\n intended CAP_SYS_MODULE capability requirement and load arbitrary modules by leveraging the CAP_NET_ADMIN\n capability. (CVE-2011-1019)\n\n - The ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel before 2.6.37\n does not initialize a certain response buffer, which allows local users to obtain potentially sensitive\n information from kernel memory via vectors that cause this buffer to be only partially filled, a different\n vulnerability than CVE-2010-4649. (CVE-2011-1044)\n\n - The bnep_sock_ioctl function in net/bluetooth/bnep/sock.c in the Linux kernel before 2.6.39 does not\n ensure that a certain device field ends with a '\\0' character, which allows local users to obtain\n potentially sensitive information from kernel stack memory, or cause a denial of service (BUG and system\n crash), via a BNEPCONNADD command. (CVE-2011-1079)\n\n - The do_replace function in net/bridge/netfilter/ebtables.c in the Linux kernel before 2.6.39 does not\n ensure that a certain name field ends with a '\\0' character, which allows local users to obtain\n potentially sensitive information from kernel stack memory by leveraging the CAP_NET_ADMIN capability to\n replace a table, and then reading a modprobe command line. (CVE-2011-1080)\n\n - The dccp_rcv_state_process function in net/dccp/input.c in the Datagram Congestion Control Protocol (DCCP)\n implementation in the Linux kernel before 2.6.38 does not properly handle packets for a CLOSED endpoint,\n which allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by sending\n a DCCP-Close packet followed by a DCCP-Reset packet. (CVE-2011-1093)\n\n - net/sctp/sm_make_chunk.c in the Linux kernel before 2.6.34, when addip_enable and auth_enable are used,\n does not consider the amount of zero padding during calculation of chunk lengths for (1) INIT and (2) INIT\n ACK chunks, which allows remote attackers to cause a denial of service (OOPS) via crafted packet data.\n (CVE-2011-1573)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2011-2015.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2011-1013\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/11/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/05/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:ofa-2.6.32-100.28.15.el5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:ofa-2.6.32-100.28.15.el5debug\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 5 / 6', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\nif ('x86_64' >!< cpu) audit(AUDIT_ARCH_NOT, 'x86_64', cpu);\n\nvar machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');\nif (machine_uptrack_level)\n{\n var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:\"\\.(x86_64|i[3-6]86|aarch64)$\", replace:'');\n var fixed_uptrack_levels = ['2.6.32-100.28.15.el5', '2.6.32-100.28.15.el6'];\n foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {\n if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ELSA-2011-2015');\n }\n }\n __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\\n\\n';\n}\n\nvar kernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nvar expected_kernel_major_minor = '2.6';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\nvar pkgs = [\n {'reference':'kernel-uek-2.6.32-100.28.15.el5', 'cpu':'x86_64', 'release':'5', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-2.6.32'},\n {'reference':'kernel-uek-debug-2.6.32-100.28.15.el5', 'cpu':'x86_64', 'release':'5', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-2.6.32'},\n {'reference':'kernel-uek-debug-devel-2.6.32-100.28.15.el5', 'cpu':'x86_64', 'release':'5', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-2.6.32'},\n {'reference':'kernel-uek-devel-2.6.32-100.28.15.el5', 'cpu':'x86_64', 'release':'5', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-2.6.32'},\n {'reference':'kernel-uek-doc-2.6.32-100.28.15.el5', 'release':'5', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-doc-2.6.32'},\n {'reference':'kernel-uek-firmware-2.6.32-100.28.15.el5', 'release':'5', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-firmware-2.6.32'},\n {'reference':'kernel-uek-headers-2.6.32-100.28.15.el5', 'cpu':'x86_64', 'release':'5', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-headers-2.6.32'},\n {'reference':'ofa-2.6.32-100.28.15.el5-1.5.1-4.0.28', 'cpu':'x86_64', 'release':'5', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'ofa-2.6.32-100.28.15.el5debug-1.5.1-4.0.28', 'cpu':'x86_64', 'release':'5', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-uek-2.6.32-100.28.15.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-2.6.32'},\n {'reference':'kernel-uek-debug-2.6.32-100.28.15.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-2.6.32'},\n {'reference':'kernel-uek-debug-devel-2.6.32-100.28.15.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-2.6.32'},\n {'reference':'kernel-uek-devel-2.6.32-100.28.15.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-2.6.32'},\n {'reference':'kernel-uek-doc-2.6.32-100.28.15.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-doc-2.6.32'},\n {'reference':'kernel-uek-firmware-2.6.32-100.28.15.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-firmware-2.6.32'},\n {'reference':'kernel-uek-headers-2.6.32-100.28.15.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-headers-2.6.32'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release) {\n if (exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-uek / kernel-uek-debug / kernel-uek-debug-devel / etc');\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-01-11T14:32:43", "description": "Brad Spengler discovered that the kernel did not correctly account for userspace memory allocations during exec() calls. A local attacker could exploit this to consume all system memory, leading to a denial of service. (CVE-2010-4243)\n\nAlexander Duyck discovered that the Intel Gigabit Ethernet driver did not correctly handle certain configurations. If such a device was configured without VLANs, a remote attacker could crash the system, leading to a denial of service. (CVE-2010-4263)\n\nNelson Elhage discovered that Econet did not correctly handle AUN packets over UDP. A local attacker could send specially crafted traffic to crash the system, leading to a denial of service.\n(CVE-2010-4342)\n\nDan Rosenberg discovered that IRDA did not correctly check the size of buffers. On non-x86 systems, a local attacker could exploit this to read kernel heap memory, leading to a loss of privacy. (CVE-2010-4529)\n\nDan Rosenburg discovered that the CAN subsystem leaked kernel addresses into the /proc filesystem. A local attacker could use this to increase the chances of a successful memory corruption exploit.\n(CVE-2010-4565)\n\nKees Cook discovered that the IOWarrior USB device driver did not correctly check certain size fields. A local attacker with physical access could plug in a specially crafted USB device to crash the system or potentially gain root privileges. (CVE-2010-4656)\n\nGoldwyn Rodrigues discovered that the OCFS2 filesystem did not correctly clear memory when writing certain file holes. A local attacker could exploit this to read uninitialized data from the disk, leading to a loss of privacy. (CVE-2011-0463)\n\nDan Carpenter discovered that the TTPCI DVB driver did not check certain values during an ioctl. If the dvb-ttpci module was loaded, a local attacker could exploit this to crash the system, leading to a denial of service, or possibly gain root privileges. (CVE-2011-0521)\n\nJens Kuehnel discovered that the InfiniBand driver contained a race condition. On systems using InfiniBand, a local attacker could send specially crafted requests to crash the system, leading to a denial of service. (CVE-2011-0695)\n\nDan Rosenberg discovered that XFS did not correctly initialize memory.\nA local attacker could make crafted ioctl calls to leak portions of kernel stack memory, leading to a loss of privacy. (CVE-2011-0711)\n\nRafael Dominguez Vega discovered that the caiaq Native Instruments USB driver did not correctly validate string lengths. A local attacker with physical access could plug in a specially crafted USB device to crash the system or potentially gain root privileges. (CVE-2011-0712)\n\nKees Cook reported that /proc/pid/stat did not correctly filter certain memory locations. A local attacker could determine the memory layout of processes in an attempt to increase the chances of a successful memory corruption exploit. (CVE-2011-0726)\n\nTimo Warns discovered that MAC partition parsing routines did not correctly calculate block counts. A local attacker with physical access could plug in a specially crafted block device to crash the system or potentially gain root privileges. (CVE-2011-1010)\n\nTimo Warns discovered that LDM partition parsing routines did not correctly calculate block counts. A local attacker with physical access could plug in a specially crafted block device to crash the system, leading to a denial of service. (CVE-2011-1012)\n\nMatthiew Herrb discovered that the drm modeset interface did not correctly handle a signed comparison. A local attacker could exploit this to crash the system or possibly gain root privileges.\n(CVE-2011-1013)\n\nMarek Olsak discovered that the Radeon GPU drivers did not correctly validate certain registers. On systems with specific hardware, a local attacker could exploit this to write to arbitrary video memory.\n(CVE-2011-1016)\n\nVasiliy Kulikov discovered that the CAP_SYS_MODULE capability was not needed to load kernel modules. A local attacker with the CAP_NET_ADMIN capability could load existing kernel modules, possibly increasing the attack surface available on the system. (CVE-2011-1019)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly clear memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1078)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly check that device name strings were NULL terminated. A local attacker could exploit this to crash the system, leading to a denial of service, or leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1079)\n\nVasiliy Kulikov discovered that bridge network filtering did not check that name fields were NULL terminated. A local attacker could exploit this to leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1080)\n\nNelson Elhage discovered that the epoll subsystem did not correctly handle certain structures. A local attacker could create malicious requests that would hang the system, leading to a denial of service.\n(CVE-2011-1082)\n\nJohan Hovold discovered that the DCCP network stack did not correctly handle certain packet combinations. A remote attacker could send specially crafted network traffic that would crash the system, leading to a denial of service. (CVE-2011-1093)\n\nPeter Huewe discovered that the TPM device did not correctly initialize memory. A local attacker could exploit this to read kernel heap memory contents, leading to a loss of privacy. (CVE-2011-1160)\n\nVasiliy Kulikov discovered that the netfilter code did not check certain strings copied from userspace. A local attacker with netfilter access could exploit this to read kernel memory or crash the system, leading to a denial of service. (CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-2534)\n\nVasiliy Kulikov discovered that the Acorn Universal Networking driver did not correctly initialize memory. A remote attacker could send specially crafted traffic to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1173)\n\nDan Rosenberg discovered that the IRDA subsystem did not correctly check certain field sizes. If a system was using IRDA, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-1180)\n\nJulien Tinnes discovered that the kernel did not correctly validate the signal structure from tkill(). A local attacker could exploit this to send signals to arbitrary threads, possibly bypassing expected restrictions. (CVE-2011-1182)\n\nDan Rosenberg reported errors in the OSS (Open Sound System) MIDI interface. A local attacker on non-x86 systems might be able to cause a denial of service. (CVE-2011-1476)\n\nDan Rosenberg reported errors in the kernel's OSS (Open Sound System) driver for Yamaha FM synthesizer chips. A local user can exploit this to cause memory corruption, causing a denial of service or privilege escalation. (CVE-2011-1477)\n\nRyan Sweat discovered that the GRO code did not correctly validate memory. In some configurations on systems using VLANs, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1478)\n\nIt was discovered that the Stream Control Transmission Protocol (SCTP) implementation incorrectly calculated lengths. If the net.sctp.addip_enable variable was turned on, a remote attacker could send specially crafted traffic to crash the system. (CVE-2011-1573)\n\nA flaw was found in the b43 driver in the Linux kernel. An attacker could use this flaw to cause a denial of service if the system has an active wireless interface using the b43 driver. (CVE-2011-3359)\n\nMaynard Johnson discovered that on POWER7, certain speculative events may raise a performance monitor exception. A local attacker could exploit this to crash the system, leading to a denial of service.\n(CVE-2011-4611)\n\nDan Rosenberg discovered flaws in the linux Rose (X.25 PLP) layer used by amateur radio. A local user or a remote user on an X.25 network could exploit these flaws to execute arbitrary code as root.\n(CVE-2011-4913).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2011-06-13T00:00:00", "type": "nessus", "title": "Ubuntu 10.04 LTS : linux, linux-ec2 vulnerabilities (USN-1141-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 5.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.9, "vectorString": "AV:A/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4243", "CVE-2010-4263", "CVE-2010-4342", "CVE-2010-4529", "CVE-2010-4565", "CVE-2010-4656", "CVE-2011-0463", "CVE-2011-0521", "CVE-2011-0695", "CVE-2011-0711", "CVE-2011-0712", "CVE-2011-0726", "CVE-2011-1010", "CVE-2011-1012", "CVE-2011-1013", "CVE-2011-1016", "CVE-2011-1019", "CVE-2011-1078", "CVE-2011-1079", "CVE-2011-1080", "CVE-2011-1082", "CVE-2011-1083", "CVE-2011-1093", "CVE-2011-1160", "CVE-2011-1170", "CVE-2011-1171", "CVE-2011-1172", "CVE-2011-1173", "CVE-2011-1180", "CVE-2011-1182", "CVE-2011-1476", "CVE-2011-1477", "CVE-2011-1478", "CVE-2011-1573", "CVE-2011-2534", "CVE-2011-3359", "CVE-2011-4611", "CVE-2011-4913"], "modified": "2019-09-19T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-386", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-ec2", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic-pae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-lpia", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-preempt", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-server", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-versatile", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-virtual", "cpe:/o:canonical:ubuntu_linux:10.04:-:lts"], "id": "UBUNTU_USN-1141-1.NASL", "href": "https://www.tenable.com/plugins/nessus/55104", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-1141-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(55104);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2019/09/19 12:54:27\");\n\n script_cve_id(\"CVE-2010-4243\", \"CVE-2010-4263\", \"CVE-2010-4342\", \"CVE-2010-4529\", \"CVE-2010-4565\", \"CVE-2010-4656\", \"CVE-2011-0463\", \"CVE-2011-0521\", \"CVE-2011-0695\", \"CVE-2011-0711\", \"CVE-2011-0712\", \"CVE-2011-0726\", \"CVE-2011-1010\", \"CVE-2011-1012\", \"CVE-2011-1013\", \"CVE-2011-1016\", \"CVE-2011-1019\", \"CVE-2011-1078\", \"CVE-2011-1079\", \"CVE-2011-1080\", \"CVE-2011-1082\", \"CVE-2011-1083\", \"CVE-2011-1093\", \"CVE-2011-1160\", \"CVE-2011-1170\", \"CVE-2011-1171\", \"CVE-2011-1172\", \"CVE-2011-1173\", \"CVE-2011-1180\", \"CVE-2011-1182\", \"CVE-2011-1476\", \"CVE-2011-1477\", \"CVE-2011-1478\", \"CVE-2011-1573\", \"CVE-2011-2534\", \"CVE-2011-3359\", \"CVE-2011-4611\", \"CVE-2011-4913\");\n script_bugtraq_id(44661, 45004, 45208, 45321, 45556, 45986, 46069, 46419, 46492, 46512, 46557, 46630, 46839, 47003, 47116, 47639, 47791, 47792);\n script_xref(name:\"USN\", value:\"1141-1\");\n\n script_name(english:\"Ubuntu 10.04 LTS : linux, linux-ec2 vulnerabilities (USN-1141-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Brad Spengler discovered that the kernel did not correctly account for\nuserspace memory allocations during exec() calls. A local attacker\ncould exploit this to consume all system memory, leading to a denial\nof service. (CVE-2010-4243)\n\nAlexander Duyck discovered that the Intel Gigabit Ethernet driver did\nnot correctly handle certain configurations. If such a device was\nconfigured without VLANs, a remote attacker could crash the system,\nleading to a denial of service. (CVE-2010-4263)\n\nNelson Elhage discovered that Econet did not correctly handle AUN\npackets over UDP. A local attacker could send specially crafted\ntraffic to crash the system, leading to a denial of service.\n(CVE-2010-4342)\n\nDan Rosenberg discovered that IRDA did not correctly check the size of\nbuffers. On non-x86 systems, a local attacker could exploit this to\nread kernel heap memory, leading to a loss of privacy. (CVE-2010-4529)\n\nDan Rosenburg discovered that the CAN subsystem leaked kernel\naddresses into the /proc filesystem. A local attacker could use this\nto increase the chances of a successful memory corruption exploit.\n(CVE-2010-4565)\n\nKees Cook discovered that the IOWarrior USB device driver did not\ncorrectly check certain size fields. A local attacker with physical\naccess could plug in a specially crafted USB device to crash the\nsystem or potentially gain root privileges. (CVE-2010-4656)\n\nGoldwyn Rodrigues discovered that the OCFS2 filesystem did not\ncorrectly clear memory when writing certain file holes. A local\nattacker could exploit this to read uninitialized data from the disk,\nleading to a loss of privacy. (CVE-2011-0463)\n\nDan Carpenter discovered that the TTPCI DVB driver did not check\ncertain values during an ioctl. If the dvb-ttpci module was loaded, a\nlocal attacker could exploit this to crash the system, leading to a\ndenial of service, or possibly gain root privileges. (CVE-2011-0521)\n\nJens Kuehnel discovered that the InfiniBand driver contained a race\ncondition. On systems using InfiniBand, a local attacker could send\nspecially crafted requests to crash the system, leading to a denial of\nservice. (CVE-2011-0695)\n\nDan Rosenberg discovered that XFS did not correctly initialize memory.\nA local attacker could make crafted ioctl calls to leak portions of\nkernel stack memory, leading to a loss of privacy. (CVE-2011-0711)\n\nRafael Dominguez Vega discovered that the caiaq Native Instruments USB\ndriver did not correctly validate string lengths. A local attacker\nwith physical access could plug in a specially crafted USB device to\ncrash the system or potentially gain root privileges. (CVE-2011-0712)\n\nKees Cook reported that /proc/pid/stat did not correctly filter\ncertain memory locations. A local attacker could determine the memory\nlayout of processes in an attempt to increase the chances of a\nsuccessful memory corruption exploit. (CVE-2011-0726)\n\nTimo Warns discovered that MAC partition parsing routines did not\ncorrectly calculate block counts. A local attacker with physical\naccess could plug in a specially crafted block device to crash the\nsystem or potentially gain root privileges. (CVE-2011-1010)\n\nTimo Warns discovered that LDM partition parsing routines did not\ncorrectly calculate block counts. A local attacker with physical\naccess could plug in a specially crafted block device to crash the\nsystem, leading to a denial of service. (CVE-2011-1012)\n\nMatthiew Herrb discovered that the drm modeset interface did not\ncorrectly handle a signed comparison. A local attacker could exploit\nthis to crash the system or possibly gain root privileges.\n(CVE-2011-1013)\n\nMarek Olsak discovered that the Radeon GPU drivers did not correctly\nvalidate certain registers. On systems with specific hardware, a local\nattacker could exploit this to write to arbitrary video memory.\n(CVE-2011-1016)\n\nVasiliy Kulikov discovered that the CAP_SYS_MODULE capability was not\nneeded to load kernel modules. A local attacker with the CAP_NET_ADMIN\ncapability could load existing kernel modules, possibly increasing the\nattack surface available on the system. (CVE-2011-1019)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly\nclear memory. A local attacker could exploit this to read kernel stack\nmemory, leading to a loss of privacy. (CVE-2011-1078)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly\ncheck that device name strings were NULL terminated. A local attacker\ncould exploit this to crash the system, leading to a denial of\nservice, or leak contents of kernel stack memory, leading to a loss of\nprivacy. (CVE-2011-1079)\n\nVasiliy Kulikov discovered that bridge network filtering did not check\nthat name fields were NULL terminated. A local attacker could exploit\nthis to leak contents of kernel stack memory, leading to a loss of\nprivacy. (CVE-2011-1080)\n\nNelson Elhage discovered that the epoll subsystem did not correctly\nhandle certain structures. A local attacker could create malicious\nrequests that would hang the system, leading to a denial of service.\n(CVE-2011-1082)\n\nJohan Hovold discovered that the DCCP network stack did not correctly\nhandle certain packet combinations. A remote attacker could send\nspecially crafted network traffic that would crash the system, leading\nto a denial of service. (CVE-2011-1093)\n\nPeter Huewe discovered that the TPM device did not correctly\ninitialize memory. A local attacker could exploit this to read kernel\nheap memory contents, leading to a loss of privacy. (CVE-2011-1160)\n\nVasiliy Kulikov discovered that the netfilter code did not check\ncertain strings copied from userspace. A local attacker with netfilter\naccess could exploit this to read kernel memory or crash the system,\nleading to a denial of service. (CVE-2011-1170, CVE-2011-1171,\nCVE-2011-1172, CVE-2011-2534)\n\nVasiliy Kulikov discovered that the Acorn Universal Networking driver\ndid not correctly initialize memory. A remote attacker could send\nspecially crafted traffic to read kernel stack memory, leading to a\nloss of privacy. (CVE-2011-1173)\n\nDan Rosenberg discovered that the IRDA subsystem did not correctly\ncheck certain field sizes. If a system was using IRDA, a remote\nattacker could send specially crafted traffic to crash the system or\ngain root privileges. (CVE-2011-1180)\n\nJulien Tinnes discovered that the kernel did not correctly validate\nthe signal structure from tkill(). A local attacker could exploit this\nto send signals to arbitrary threads, possibly bypassing expected\nrestrictions. (CVE-2011-1182)\n\nDan Rosenberg reported errors in the OSS (Open Sound System) MIDI\ninterface. A local attacker on non-x86 systems might be able to cause\na denial of service. (CVE-2011-1476)\n\nDan Rosenberg reported errors in the kernel's OSS (Open Sound System)\ndriver for Yamaha FM synthesizer chips. A local user can exploit this\nto cause memory corruption, causing a denial of service or privilege\nescalation. (CVE-2011-1477)\n\nRyan Sweat discovered that the GRO code did not correctly validate\nmemory. In some configurations on systems using VLANs, a remote\nattacker could send specially crafted traffic to crash the system,\nleading to a denial of service. (CVE-2011-1478)\n\nIt was discovered that the Stream Control Transmission Protocol (SCTP)\nimplementation incorrectly calculated lengths. If the\nnet.sctp.addip_enable variable was turned on, a remote attacker could\nsend specially crafted traffic to crash the system. (CVE-2011-1573)\n\nA flaw was found in the b43 driver in the Linux kernel. An attacker\ncould use this flaw to cause a denial of service if the system has an\nactive wireless interface using the b43 driver. (CVE-2011-3359)\n\nMaynard Johnson discovered that on POWER7, certain speculative events\nmay raise a performance monitor exception. A local attacker could\nexploit this to crash the system, leading to a denial of service.\n(CVE-2011-4611)\n\nDan Rosenberg discovered flaws in the linux Rose (X.25 PLP) layer used\nby amateur radio. A local user or a remote user on an X.25 network\ncould exploit these flaws to execute arbitrary code as root.\n(CVE-2011-4913).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/1141-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-386\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-ec2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-lpia\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-preempt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-versatile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:10.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/12/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/05/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/06/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(10\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 10.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2010-4243\", \"CVE-2010-4263\", \"CVE-2010-4342\", \"CVE-2010-4529\", \"CVE-2010-4565\", \"CVE-2010-4656\", \"CVE-2011-0463\", \"CVE-2011-0521\", \"CVE-2011-0695\", \"CVE-2011-0711\", \"CVE-2011-0712\", \"CVE-2011-0726\", \"CVE-2011-1010\", \"CVE-2011-1012\", \"CVE-2011-1013\", \"CVE-2011-1016\", \"CVE-2011-1019\", \"CVE-2011-1078\", \"CVE-2011-1079\", \"CVE-2011-1080\", \"CVE-2011-1082\", \"CVE-2011-1083\", \"CVE-2011-1093\", \"CVE-2011-1160\", \"CVE-2011-1170\", \"CVE-2011-1171\", \"CVE-2011-1172\", \"CVE-2011-1173\", \"CVE-2011-1180\", \"CVE-2011-1182\", \"CVE-2011-1476\", \"CVE-2011-1477\", \"CVE-2011-1478\", \"CVE-2011-1573\", \"CVE-2011-2534\", \"CVE-2011-3359\", \"CVE-2011-4611\", \"CVE-2011-4913\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-1141-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-image-2.6.32-316-ec2\", pkgver:\"2.6.32-316.31\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-image-2.6.32-32-386\", pkgver:\"2.6.32-32.62\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-image-2.6.32-32-generic\", pkgver:\"2.6.32-32.62\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-image-2.6.32-32-generic-pae\", pkgver:\"2.6.32-32.62\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-image-2.6.32-32-lpia\", pkgver:\"2.6.32-32.62\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-image-2.6.32-32-preempt\", pkgver:\"2.6.32-32.62\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-image-2.6.32-32-server\", pkgver:\"2.6.32-32.62\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-image-2.6.32-32-versatile\", pkgver:\"2.6.32-32.62\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-image-2.6.32-32-virtual\", pkgver:\"2.6.32-32.62\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-2.6-386 / linux-image-2.6-ec2 / linux-image-2.6-generic / etc\");\n}\n", "cvss": {"score": 7.9, "vector": "AV:A/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-17T14:22:07", "description": "Dan Rosenberg discovered that IRDA did not correctly check the size of buffers. On non-x86 systems, a local attacker could exploit this to read kernel heap memory, leading to a loss of privacy. (CVE-2010-4529)\n\nDan Rosenburg discovered that the CAN subsystem leaked kernel addresses into the /proc filesystem. A local attacker could use this to increase the chances of a successful memory corruption exploit.\n(CVE-2010-4565)\n\nKees Cook discovered that the IOWarrior USB device driver did not correctly check certain size fields. A local attacker with physical access could plug in a specially crafted USB device to crash the system or potentially gain root privileges. (CVE-2010-4656)\n\nGoldwyn Rodrigues discovered that the OCFS2 filesystem did not correctly clear memory when writing certain file holes. A local attacker could exploit this to read uninitialized data from the disk, leading to a loss of privacy. (CVE-2011-0463)\n\nDan Carpenter discovered that the TTPCI DVB driver did not check certain values during an ioctl. If the dvb-ttpci module was loaded, a local attacker could exploit this to crash the system, leading to a denial of service, or possibly gain root privileges. (CVE-2011-0521)\n\nJens Kuehnel discovered that the InfiniBand driver contained a race condition. On systems using InfiniBand, a local attacker could send specially crafted requests to crash the system, leading to a denial of service. (CVE-2011-0695)\n\nDan Rosenberg discovered that XFS did not correctly initialize memory.\nA local attacker could make crafted ioctl calls to leak portions of kernel stack memory, leading to a loss of privacy. (CVE-2011-0711)\n\nRafael Dominguez Vega discovered that the caiaq Native Instruments USB driver did not correctly validate string lengths. A local attacker with physical access could plug in a specially crafted USB device to crash the system or potentially gain root privileges. (CVE-2011-0712)\n\nKees Cook reported that /proc/pid/stat did not correctly filter certain memory locations. A local attacker could determine the memory layout of processes in an attempt to increase the chances of a successful memory corruption exploit. (CVE-2011-0726)\n\nTimo Warns discovered that MAC partition parsing routines did not correctly calculate block counts. A local attacker with physical access could plug in a specially crafted block device to crash the system or potentially gain root privileges. (CVE-2011-1010)\n\nTimo Warns discovered that LDM partition parsing routines did not correctly calculate block counts. A local attacker with physical access could plug in a specially crafted block device to crash the system, leading to a denial of service. (CVE-2011-1012)\n\nMatthiew Herrb discovered that the drm modeset interface did not correctly handle a signed comparison. A local attacker could exploit this to crash the system or possibly gain root privileges.\n(CVE-2011-1013)\n\nMarek Olsak discovered that the Radeon GPU drivers did not correctly validate certain registers. On systems with specific hardware, a local attacker could exploit this to write to arbitrary video memory.\n(CVE-2011-1016)\n\nTimo Warns discovered that the LDM disk partition handling code did not correctly handle certain values. By inserting a specially crafted disk device, a local attacker could exploit this to gain root privileges. (CVE-2011-1017)\n\nVasiliy Kulikov discovered that the CAP_SYS_MODULE capability was not needed to load kernel modules. A local attacker with the CAP_NET_ADMIN capability could load existing kernel modules, possibly increasing the attack surface available on the system. (CVE-2011-1019)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly clear memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1078)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly check that device name strings were NULL terminated. A local attacker could exploit this to crash the system, leading to a denial of service, or leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1079)\n\nVasiliy Kulikov discovered that bridge network filtering did not check that name fields were NULL terminated. A local attacker could exploit this to leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1080)\n\nNelson Elhage discovered that the epoll subsystem did not correctly handle certain structures. A local attacker could create malicious requests that would hang the system, leading to a denial of service.\n(CVE-2011-1082)\n\nJohan Hovold discovered that the DCCP network stack did not correctly handle certain packet combinations. A remote attacker could send specially crafted network traffic that would crash the system, leading to a denial of service. (CVE-2011-1093)\n\nPeter Huewe discovered that the TPM device did not correctly initialize memory. A local attacker could exploit this to read kernel heap memory contents, leading to a loss of privacy. (CVE-2011-1160)\n\nDan Rosenberg discovered that some ALSA drivers did not correctly check the adapter index during ioctl calls. If this driver was loaded, a local attacker could make a specially crafted ioctl call to gain root privileges. (CVE-2011-1169)\n\nVasiliy Kulikov discovered that the netfilter code did not check certain strings copied from userspace. A local attacker with netfilter access could exploit this to read kernel memory or crash the system, leading to a denial of service. (CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-2534)\n\nVasiliy Kulikov discovered that the Acorn Universal Networking driver did not correctly initialize memory. A remote attacker could send specially crafted traffic to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1173)\n\nDan Rosenberg discovered that the IRDA subsystem did not correctly check certain field sizes. If a system was using IRDA, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-1180)\n\nJulien Tinnes discovered that the kernel did not correctly validate the signal structure from tkill(). A local attacker could exploit this to send signals to arbitrary threads, possibly bypassing expected restrictions. (CVE-2011-1182)\n\nDan Rosenberg reported errors in the OSS (Open Sound System) MIDI interface. A local attacker on non-x86 systems might be able to cause a denial of service. (CVE-2011-1476)\n\nDan Rosenberg reported errors in the kernel's OSS (Open Sound System) driver for Yamaha FM synthesizer chips. A local user can exploit this to cause memory corruption, causing a denial of service or privilege escalation. (CVE-2011-1477)\n\nRyan Sweat discovered that the GRO code did not correctly validate memory. In some configurations on systems using VLANs, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1478)\n\nDan Rosenberg discovered that MPT devices did not correctly validate certain values in ioctl calls. If these drivers were loaded, a local attacker could exploit this to read arbitrary kernel memory, leading to a loss of privacy. (CVE-2011-1494, CVE-2011-1495)\n\nTavis Ormandy discovered that the pidmap function did not correctly handle large requests. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-1593)\n\nVasiliy Kulikov discovered that the AGP driver did not check certain ioctl values. A local attacker with access to the video subsystem could exploit this to crash the system, leading to a denial of service, or possibly gain root privileges. (CVE-2011-1745, CVE-2011-2022)\n\nOliver Hartkopp and Dave Jones discovered that the CAN network driver did not correctly validate certain socket structures. If this driver was loaded, a local attacker could crash the system, leading to a denial of service. (CVE-2011-1748)\n\nA flaw was found in the b43 driver in the Linux kernel. An attacker could use this flaw to cause a denial of service if the system has an active wireless interface using the b43 driver. (CVE-2011-3359)\n\nMaynard Johnson discovered that on POWER7, certain speculative events may raise a performance monitor exception. A local attacker could exploit this to crash the system, leading to a denial of service.\n(CVE-2011-4611)\n\nDan Rosenberg discovered flaws in the linux Rose (X.25 PLP) layer used by amateur radio. A local user or a remote user on an X.25 network could exploit these flaws to execute arbitrary code as root.\n(CVE-2011-4913).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2011-06-29T00:00:00", "type": "nessus", "title": "Ubuntu 10.10 : linux vulnerabilities (USN-1160-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4529", "CVE-2010-4565", "CVE-2010-4656", "CVE-2011-0463", "CVE-2011-0521", "CVE-2011-0695", "CVE-2011-0711", "CVE-2011-0712", "CVE-2011-0726", "CVE-2011-1010", "CVE-2011-1012", "CVE-2011-1013", "CVE-2011-1016", "CVE-2011-1017", "CVE-2011-1019", "CVE-2011-1078", "CVE-2011-1079", "CVE-2011-1080", "CVE-2011-1082", "CVE-2011-1083", "CVE-2011-1093", "CVE-2011-1160", "CVE-2011-1169", "CVE-2011-1170", "CVE-2011-1171", "CVE-2011-1172", "CVE-2011-1173", "CVE-2011-1180", "CVE-2011-1182", "CVE-2011-1476", "CVE-2011-1477", "CVE-2011-1478", "CVE-2011-1494", "CVE-2011-1495", "CVE-2011-1593", "CVE-2011-1745", "CVE-2011-1748", "CVE-2011-2022", "CVE-2011-2534", "CVE-2011-3359", "CVE-2011-4611", "CVE-2011-4913"], "modified": "2019-09-19T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic-pae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-server", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-versatile", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-virtual", "cpe:/o:canonical:ubuntu_linux:10.10"], "id": "UBUNTU_USN-1160-1.NASL", "href": "https://www.tenable.com/plugins/nessus/55454", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-1160-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(55454);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2019/09/19 12:54:27\");\n\n script_cve_id(\"CVE-2010-4529\", \"CVE-2010-4565\", \"CVE-2010-4656\", \"CVE-2011-0463\", \"CVE-2011-0521\", \"CVE-2011-0695\", \"CVE-2011-0711\", \"CVE-2011-0712\", \"CVE-2011-0726\", \"CVE-2011-1010\", \"CVE-2011-1012\", \"CVE-2011-1013\", \"CVE-2011-1016\", \"CVE-2011-1017\", \"CVE-2011-1019\", \"CVE-2011-1078\", \"CVE-2011-1079\", \"CVE-2011-1080\", \"CVE-2011-1082\", \"CVE-2011-1083\", \"CVE-2011-1093\", \"CVE-2011-1160\", \"CVE-2011-1169\", \"CVE-2011-1170\", \"CVE-2011-1171\", \"CVE-2011-1172\", \"CVE-2011-1173\", \"CVE-2011-1180\", \"CVE-2011-1182\", \"CVE-2011-1476\", \"CVE-2011-1477\", \"CVE-2011-1478\", \"CVE-2011-1494\", \"CVE-2011-1495\", \"CVE-2011-1593\", \"CVE-2011-1745\", \"CVE-2011-1748\", \"CVE-2011-2022\", \"CVE-2011-2534\", \"CVE-2011-3359\", \"CVE-2011-4611\", \"CVE-2011-4913\");\n script_bugtraq_id(44661, 45556, 45986, 46069, 46417, 46419, 46492, 46512, 46839, 47116, 47791);\n script_xref(name:\"USN\", value:\"1160-1\");\n\n script_name(english:\"Ubuntu 10.10 : linux vulnerabilities (USN-1160-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Dan Rosenberg discovered that IRDA did not correctly check the size of\nbuffers. On non-x86 systems, a local attacker could exploit this to\nread kernel heap memory, leading to a loss of privacy. (CVE-2010-4529)\n\nDan Rosenburg discovered that the CAN subsystem leaked kernel\naddresses into the /proc filesystem. A local attacker could use this\nto increase the chances of a successful memory corruption exploit.\n(CVE-2010-4565)\n\nKees Cook discovered that the IOWarrior USB device driver did not\ncorrectly check certain size fields. A local attacker with physical\naccess could plug in a specially crafted USB device to crash the\nsystem or potentially gain root privileges. (CVE-2010-4656)\n\nGoldwyn Rodrigues discovered that the OCFS2 filesystem did not\ncorrectly clear memory when writing certain file holes. A local\nattacker could exploit this to read uninitialized data from the disk,\nleading to a loss of privacy. (CVE-2011-0463)\n\nDan Carpenter discovered that the TTPCI DVB driver did not check\ncertain values during an ioctl. If the dvb-ttpci module was loaded, a\nlocal attacker could exploit this to crash the system, leading to a\ndenial of service, or possibly gain root privileges. (CVE-2011-0521)\n\nJens Kuehnel discovered that the InfiniBand driver contained a race\ncondition. On systems using InfiniBand, a local attacker could send\nspecially crafted requests to crash the system, leading to a denial of\nservice. (CVE-2011-0695)\n\nDan Rosenberg discovered that XFS did not correctly initialize memory.\nA local attacker could make crafted ioctl calls to leak portions of\nkernel stack memory, leading to a loss of privacy. (CVE-2011-0711)\n\nRafael Dominguez Vega discovered that the caiaq Native Instruments USB\ndriver did not correctly validate string lengths. A local attacker\nwith physical access could plug in a specially crafted USB device to\ncrash the system or potentially gain root privileges. (CVE-2011-0712)\n\nKees Cook reported that /proc/pid/stat did not correctly filter\ncertain memory locations. A local attacker could determine the memory\nlayout of processes in an attempt to increase the chances of a\nsuccessful memory corruption exploit. (CVE-2011-0726)\n\nTimo Warns discovered that MAC partition parsing routines did not\ncorrectly calculate block counts. A local attacker with physical\naccess could plug in a specially crafted block device to crash the\nsystem or potentially gain root privileges. (CVE-2011-1010)\n\nTimo Warns discovered that LDM partition parsing routines did not\ncorrectly calculate block counts. A local attacker with physical\naccess could plug in a specially crafted block device to crash the\nsystem, leading to a denial of service. (CVE-2011-1012)\n\nMatthiew Herrb discovered that the drm modeset interface did not\ncorrectly handle a signed comparison. A local attacker could exploit\nthis to crash the system or possibly gain root privileges.\n(CVE-2011-1013)\n\nMarek Olsak discovered that the Radeon GPU drivers did not correctly\nvalidate certain registers. On systems with specific hardware, a local\nattacker could exploit this to write to arbitrary video memory.\n(CVE-2011-1016)\n\nTimo Warns discovered that the LDM disk partition handling code did\nnot correctly handle certain values. By inserting a specially crafted\ndisk device, a local attacker could exploit this to gain root\nprivileges. (CVE-2011-1017)\n\nVasiliy Kulikov discovered that the CAP_SYS_MODULE capability was not\nneeded to load kernel modules. A local attacker with the CAP_NET_ADMIN\ncapability could load existing kernel modules, possibly increasing the\nattack surface available on the system. (CVE-2011-1019)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly\nclear memory. A local attacker could exploit this to read kernel stack\nmemory, leading to a loss of privacy. (CVE-2011-1078)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly\ncheck that device name strings were NULL terminated. A local attacker\ncould exploit this to crash the system, leading to a denial of\nservice, or leak contents of kernel stack memory, leading to a loss of\nprivacy. (CVE-2011-1079)\n\nVasiliy Kulikov discovered that bridge network filtering did not check\nthat name fields were NULL terminated. A local attacker could exploit\nthis to leak contents of kernel stack memory, leading to a loss of\nprivacy. (CVE-2011-1080)\n\nNelson Elhage discovered that the epoll subsystem did not correctly\nhandle certain structures. A local attacker could create malicious\nrequests that would hang the system, leading to a denial of service.\n(CVE-2011-1082)\n\nJohan Hovold discovered that the DCCP network stack did not correctly\nhandle certain packet combinations. A remote attacker could send\nspecially crafted network traffic that would crash the system, leading\nto a denial of service. (CVE-2011-1093)\n\nPeter Huewe discovered that the TPM device did not correctly\ninitialize memory. A local attacker could exploit this to read kernel\nheap memory contents, leading to a loss of privacy. (CVE-2011-1160)\n\nDan Rosenberg discovered that some ALSA drivers did not correctly\ncheck the adapter index during ioctl calls. If this driver was loaded,\na local attacker could make a specially crafted ioctl call to gain\nroot privileges. (CVE-2011-1169)\n\nVasiliy Kulikov discovered that the netfilter code did not check\ncertain strings copied from userspace. A local attacker with netfilter\naccess could exploit this to read kernel memory or crash the system,\nleading to a denial of service. (CVE-2011-1170, CVE-2011-1171,\nCVE-2011-1172, CVE-2011-2534)\n\nVasiliy Kulikov discovered that the Acorn Universal Networking driver\ndid not correctly initialize memory. A remote attacker could send\nspecially crafted traffic to read kernel stack memory, leading to a\nloss of privacy. (CVE-2011-1173)\n\nDan Rosenberg discovered that the IRDA subsystem did not correctly\ncheck certain field sizes. If a system was using IRDA, a remote\nattacker could send specially crafted traffic to crash the system or\ngain root privileges. (CVE-2011-1180)\n\nJulien Tinnes discovered that the kernel did not correctly validate\nthe signal structure from tkill(). A local attacker could exploit this\nto send signals to arbitrary threads, possibly bypassing expected\nrestrictions. (CVE-2011-1182)\n\nDan Rosenberg reported errors in the OSS (Open Sound System) MIDI\ninterface. A local attacker on non-x86 systems might be able to cause\na denial of service. (CVE-2011-1476)\n\nDan Rosenberg reported errors in the kernel's OSS (Open Sound System)\ndriver for Yamaha FM synthesizer chips. A local user can exploit this\nto cause memory corruption, causing a denial of service or privilege\nescalation. (CVE-2011-1477)\n\nRyan Sweat discovered that the GRO code did not correctly validate\nmemory. In some configurations on systems using VLANs, a remote\nattacker could send specially crafted traffic to crash the system,\nleading to a denial of service. (CVE-2011-1478)\n\nDan Rosenberg discovered that MPT devices did not correctly validate\ncertain values in ioctl calls. If these drivers were loaded, a local\nattacker could exploit this to read arbitrary kernel memory, leading\nto a loss of privacy. (CVE-2011-1494, CVE-2011-1495)\n\nTavis Ormandy discovered that the pidmap function did not correctly\nhandle large requests. A local attacker could exploit this to crash\nthe system, leading to a denial of service. (CVE-2011-1593)\n\nVasiliy Kulikov discovered that the AGP driver did not check certain\nioctl values. A local attacker with access to the video subsystem\ncould exploit this to crash the system, leading to a denial of\nservice, or possibly gain root privileges. (CVE-2011-1745,\nCVE-2011-2022)\n\nOliver Hartkopp and Dave Jones discovered that the CAN network driver\ndid not correctly validate certain socket structures. If this driver\nwas loaded, a local attacker could crash the system, leading to a\ndenial of service. (CVE-2011-1748)\n\nA flaw was found in the b43 driver in the Linux kernel. An attacker\ncould use this flaw to cause a denial of service if the system has an\nactive wireless interface using the b43 driver. (CVE-2011-3359)\n\nMaynard Johnson discovered that on POWER7, certain speculative events\nmay raise a performance monitor exception. A local attacker could\nexploit this to crash the system, leading to a denial of service.\n(CVE-2011-4611)\n\nDan Rosenberg discovered flaws in the linux Rose (X.25 PLP) layer used\nby amateur radio. A local user or a remote user on an X.25 network\ncould exploit these flaws to execute arbitrary code as root.\n(CVE-2011-4913).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/1160-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-versatile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:10.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/12/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/06/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/06/29\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(10\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 10.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2010-4529\", \"CVE-2010-4565\", \"CVE-2010-4656\", \"CVE-2011-0463\", \"CVE-2011-0521\", \"CVE-2011-0695\", \"CVE-2011-0711\", \"CVE-2011-0712\", \"CVE-2011-0726\", \"CVE-2011-1010\", \"CVE-2011-1012\", \"CVE-2011-1013\", \"CVE-2011-1016\", \"CVE-2011-1017\", \"CVE-2011-1019\", \"CVE-2011-1078\", \"CVE-2011-1079\", \"CVE-2011-1080\", \"CVE-2011-1082\", \"CVE-2011-1083\", \"CVE-2011-1093\", \"CVE-2011-1160\", \"CVE-2011-1169\", \"CVE-2011-1170\", \"CVE-2011-1171\", \"CVE-2011-1172\", \"CVE-2011-1173\", \"CVE-2011-1180\", \"CVE-2011-1182\", \"CVE-2011-1476\", \"CVE-2011-1477\", \"CVE-2011-1478\", \"CVE-2011-1494\", \"CVE-2011-1495\", \"CVE-2011-1593\", \"CVE-2011-1745\", \"CVE-2011-1748\", \"CVE-2011-2022\", \"CVE-2011-2534\", \"CVE-2011-3359\", \"CVE-2011-4611\", \"CVE-2011-4913\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-1160-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-image-2.6.35-30-generic\", pkgver:\"2.6.35-30.54\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-image-2.6.35-30-generic-pae\", pkgver:\"2.6.35-30.54\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-image-2.6.35-30-server\", pkgver:\"2.6.35-30.54\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-image-2.6.35-30-versatile\", pkgver:\"2.6.35-30.54\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-image-2.6.35-30-virtual\", pkgver:\"2.6.35-30.54\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-2.6-generic / linux-image-2.6-generic-pae / etc\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-01-11T14:25:39", "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nThis update fixes the following security issues :\n\n - A flaw in the dccp_rcv_state_process() function could allow a remote attacker to cause a denial of service, even when the socket was already closed. (CVE-2011-1093, Important)\n\n - Multiple buffer overflow flaws were found in the Linux kernel's Management Module Support for Message Passing Technology (MPT) based controllers. A local, unprivileged user could use these flaws to cause a denial of service, an information leak, or escalate their privileges. (CVE-2011-1494, CVE-2011-1495, Important)\n\n - A missing validation of a null-terminated string data structure element in the bnep_sock_ioctl() function could allow a local user to cause an information leak or a denial of service. (CVE-2011-1079, Moderate)\n\n - Missing error checking in the way page tables were handled in the Xen hypervisor implementation could allow a privileged guest user to cause the host, and the guests, to lock up. (CVE-2011-1166, Moderate)\n\n - A flaw was found in the way the Xen hypervisor implementation checked for the upper boundary when getting a new event channel port. A privileged guest user could use this flaw to cause a denial of service or escalate their privileges. (CVE-2011-1763, Moderate)\n\n - The start_code and end_code values in '/proc/[pid]/stat' were not protected. In certain scenarios, this flaw could be used to defeat Address Space Layout Randomization (ASLR). (CVE-2011-0726, Low)\n\n - A missing initialization flaw in the sco_sock_getsockopt() function could allow a local, unprivileged user to cause an information leak.\n (CVE-2011-1078, Low)\n\n - A missing validation of a null-terminated string data structure element in the do_replace() function could allow a local user who has the CAP_NET_ADMIN capability to cause an information leak. (CVE-2011-1080, Low)\n\n - A buffer overflow flaw in the DEC Alpha OSF partition implementation in the Linux kernel could allow a local attacker to cause an information leak by mounting a disk that contains specially crafted partition tables.\n (CVE-2011-1163, Low)\n\n - Missing validations of null-terminated string data structure elements in the do_replace(), compat_do_replace(), do_ipt_get_ctl(), do_ip6t_get_ctl(), and do_arpt_get_ctl() functions could allow a local user who has the CAP_NET_ADMIN capability to cause an information leak. (CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, Low)\n\n - A heap overflow flaw in the Linux kernel's EFI GUID Partition Table (GPT) implementation could allow a local attacker to cause a denial of service by mounting a disk that contains specially crafted partition tables.\n (CVE-2011-1577, Low)\n\nThis update also fixes several bugs.\n\nThe system must be rebooted for this update to take effect.", "cvss3": {}, "published": "2012-08-01T00:00:00", "type": "nessus", "title": "Scientific Linux Security Update : kernel on SL5.x i386/x86_64", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-0726", "CVE-2011-1078", "CVE-2011-1079", "CVE-2011-1080", "CVE-2011-1093", "CVE-2011-1163", "CVE-2011-1166", "CVE-2011-1170", "CVE-2011-1171", "CVE-2011-1172", "CVE-2011-1494", "CVE-2011-1495", "CVE-2011-1577", "CVE-2011-1763"], "modified": "2021-01-14T00:00:00", "cpe": ["x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20110531_KERNEL_ON_SL5_X.NASL", "href": "https://www.tenable.com/plugins/nessus/61059", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(61059);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2011-0726\", \"CVE-2011-1078\", \"CVE-2011-1079\", \"CVE-2011-1080\", \"CVE-2011-1093\", \"CVE-2011-1163\", \"CVE-2011-1166\", \"CVE-2011-1170\", \"CVE-2011-1171\", \"CVE-2011-1172\", \"CVE-2011-1494\", \"CVE-2011-1577\", \"CVE-2011-1763\");\n\n script_name(english:\"Scientific Linux Security Update : kernel on SL5.x i386/x86_64\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nThis update fixes the following security issues :\n\n - A flaw in the dccp_rcv_state_process() function could\n allow a remote attacker to cause a denial of service,\n even when the socket was already closed. (CVE-2011-1093,\n Important)\n\n - Multiple buffer overflow flaws were found in the Linux\n kernel's Management Module Support for Message Passing\n Technology (MPT) based controllers. A local,\n unprivileged user could use these flaws to cause a\n denial of service, an information leak, or escalate\n their privileges. (CVE-2011-1494, CVE-2011-1495,\n Important)\n\n - A missing validation of a null-terminated string data\n structure element in the bnep_sock_ioctl() function\n could allow a local user to cause an information leak or\n a denial of service. (CVE-2011-1079, Moderate)\n\n - Missing error checking in the way page tables were\n handled in the Xen hypervisor implementation could allow\n a privileged guest user to cause the host, and the\n guests, to lock up. (CVE-2011-1166, Moderate)\n\n - A flaw was found in the way the Xen hypervisor\n implementation checked for the upper boundary when\n getting a new event channel port. A privileged guest\n user could use this flaw to cause a denial of service or\n escalate their privileges. (CVE-2011-1763, Moderate)\n\n - The start_code and end_code values in '/proc/[pid]/stat'\n were not protected. In certain scenarios, this flaw\n could be used to defeat Address Space Layout\n Randomization (ASLR). (CVE-2011-0726, Low)\n\n - A missing initialization flaw in the\n sco_sock_getsockopt() function could allow a local,\n unprivileged user to cause an information leak.\n (CVE-2011-1078, Low)\n\n - A missing validation of a null-terminated string data\n structure element in the do_replace() function could\n allow a local user who has the CAP_NET_ADMIN capability\n to cause an information leak. (CVE-2011-1080, Low)\n\n - A buffer overflow flaw in the DEC Alpha OSF partition\n implementation in the Linux kernel could allow a local\n attacker to cause an information leak by mounting a disk\n that contains specially crafted partition tables.\n (CVE-2011-1163, Low)\n\n - Missing validations of null-terminated string data\n structure elements in the do_replace(),\n compat_do_replace(), do_ipt_get_ctl(),\n do_ip6t_get_ctl(), and do_arpt_get_ctl() functions could\n allow a local user who has the CAP_NET_ADMIN capability\n to cause an information leak. (CVE-2011-1170,\n CVE-2011-1171, CVE-2011-1172, Low)\n\n - A heap overflow flaw in the Linux kernel's EFI GUID\n Partition Table (GPT) implementation could allow a local\n attacker to cause a denial of service by mounting a disk\n that contains specially crafted partition tables.\n (CVE-2011-1577, Low)\n\nThis update also fixes several bugs.\n\nThe system must be rebooted for this update to take effect.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1106&L=scientific-linux-errata&T=0&P=1636\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f3b8fdda\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/04/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/05/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/08/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL5\", reference:\"kernel-2.6.18-238.12.1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", cpu:\"i386\", reference:\"kernel-PAE-2.6.18-238.12.1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", cpu:\"i386\", reference:\"kernel-PAE-debuginfo-2.6.18-238.12.1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", cpu:\"i386\", reference:\"kernel-PAE-devel-2.6.18-238.12.1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"kernel-debug-2.6.18-238.12.1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"kernel-debug-debuginfo-2.6.18-238.12.1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"kernel-debug-devel-2.6.18-238.12.1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"kernel-debuginfo-2.6.18-238.12.1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"kernel-debuginfo-common-2.6.18-238.12.1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"kernel-devel-2.6.18-238.12.1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"kernel-headers-2.6.18-238.12.1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"kernel-xen-2.6.18-238.12.1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"kernel-xen-debuginfo-2.6.18-238.12.1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"kernel-xen-devel-2.6.18-238.12.1.el5\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-01-16T14:44:14", "description": "Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nThis update fixes the following security issues :\n\n* A flaw in the dccp_rcv_state_process() function could allow a remote attacker to cause a denial of service, even when the socket was already closed. (CVE-2011-1093, Important)\n\n* Multiple buffer overflow flaws were found in the Linux kernel's Management Module Support for Message Passing Technology (MPT) based controllers. A local, unprivileged user could use these flaws to cause a denial of service, an information leak, or escalate their privileges. (CVE-2011-1494, CVE-2011-1495, Important)\n\n* A missing validation of a null-terminated string data structure element in the bnep_sock_ioctl() function could allow a local user to cause an information leak or a denial of service. (CVE-2011-1079, Moderate)\n\n* Missing error checking in the way page tables were handled in the Xen hypervisor implementation could allow a privileged guest user to cause the host, and the guests, to lock up. (CVE-2011-1166, Moderate)\n\n* A flaw was found in the way the Xen hypervisor implementation checked for the upper boundary when getting a new event channel port.\nA privileged guest user could use this flaw to cause a denial of service or escalate their privileges. (CVE-2011-1763, Moderate)\n\n* The start_code and end_code values in '/proc/[pid]/stat' were not protected. In certain scenarios, this flaw could be used to defeat Address Space Layout Randomization (ASLR). (CVE-2011-0726, Low)\n\n* A missing initialization flaw in the sco_sock_getsockopt() function could allow a local, unprivileged user to cause an information leak.\n(CVE-2011-1078, Low)\n\n* A missing validation of a null-terminated string data structure element in the do_replace() function could allow a local user who has the CAP_NET_ADMIN capability to cause an information leak.\n(CVE-2011-1080, Low)\n\n* A buffer overflow flaw in the DEC Alpha OSF partition implementation in the Linux kernel could allow a local attacker to cause an information leak by mounting a disk that contains specially crafted partition tables. (CVE-2011-1163, Low)\n\n* Missing validations of null-terminated string data structure elements in the do_replace(), compat_do_replace(), do_ipt_get_ctl(), do_ip6t_get_ctl(), and do_arpt_get_ctl() functions could allow a local user who has the CAP_NET_ADMIN capability to cause an information leak. (CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, Low)\n\n* A heap overflow flaw in the Linux kernel's EFI GUID Partition Table (GPT) implementation could allow a local attacker to cause a denial of service by mounting a disk that contains specially crafted partition tables. (CVE-2011-1577, Low)\n\nRed Hat would like to thank Dan Rosenberg for reporting CVE-2011-1494 and CVE-2011-1495; Vasiliy Kulikov for reporting CVE-2011-1079, CVE-2011-1078, CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, and CVE-2011-1172; Kees Cook for reporting CVE-2011-0726; and Timo Warns for reporting CVE-2011-1163 and CVE-2011-1577.\n\nThis update also fixes several bugs. Documentation for these bug fixes will be available shortly from the Technical Notes document linked to in the References section.\n\nUsers should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect.", "cvss3": {}, "published": "2013-06-29T00:00:00", "type": "nessus", "title": "CentOS 5 : kernel (CESA-2011:0833)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-0726", "CVE-2011-1078", "CVE-2011-1079", "CVE-2011-1080", "CVE-2011-1093", "CVE-2011-1163", "CVE-2011-1166", "CVE-2011-1170", "CVE-2011-1171", "CVE-2011-1172", "CVE-2011-1494", "CVE-2011-1495", "CVE-2011-1577", "CVE-2011-1763"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:centos:centos:kernel", "p-cpe:/a:centos:centos:kernel-PAE", "p-cpe:/a:centos:centos:kernel-PAE-devel", "p-cpe:/a:centos:centos:kernel-debug", "p-cpe:/a:centos:centos:kernel-debug-devel", "p-cpe:/a:centos:centos:kernel-devel", "p-cpe:/a:centos:centos:kernel-doc", "p-cpe:/a:centos:centos:kernel-headers", "p-cpe:/a:centos:centos:kernel-xen", "p-cpe:/a:centos:centos:kernel-xen-devel", "cpe:/o:centos:centos:5"], "id": "CENTOS_RHSA-2011-0833.NASL", "href": "https://www.tenable.com/plugins/nessus/67081", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2011:0833 and \n# CentOS Errata and Security Advisory 2011:0833 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(67081);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2011-0726\", \"CVE-2011-1078\", \"CVE-2011-1079\", \"CVE-2011-1080\", \"CVE-2011-1093\", \"CVE-2011-1163\", \"CVE-2011-1166\", \"CVE-2011-1170\", \"CVE-2011-1171\", \"CVE-2011-1172\", \"CVE-2011-1494\", \"CVE-2011-1495\", \"CVE-2011-1577\", \"CVE-2011-1763\");\n script_bugtraq_id(46616, 46793, 46878, 46919, 47185, 47343, 47791, 48048);\n script_xref(name:\"RHSA\", value:\"2011:0833\");\n\n script_name(english:\"CentOS 5 : kernel (CESA-2011:0833)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated kernel packages that fix multiple security issues and several\nbugs are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nThis update fixes the following security issues :\n\n* A flaw in the dccp_rcv_state_process() function could allow a remote\nattacker to cause a denial of service, even when the socket was\nalready closed. (CVE-2011-1093, Important)\n\n* Multiple buffer overflow flaws were found in the Linux kernel's\nManagement Module Support for Message Passing Technology (MPT) based\ncontrollers. A local, unprivileged user could use these flaws to cause\na denial of service, an information leak, or escalate their\nprivileges. (CVE-2011-1494, CVE-2011-1495, Important)\n\n* A missing validation of a null-terminated string data structure\nelement in the bnep_sock_ioctl() function could allow a local user to\ncause an information leak or a denial of service. (CVE-2011-1079,\nModerate)\n\n* Missing error checking in the way page tables were handled in the\nXen hypervisor implementation could allow a privileged guest user to\ncause the host, and the guests, to lock up. (CVE-2011-1166, Moderate)\n\n* A flaw was found in the way the Xen hypervisor implementation\nchecked for the upper boundary when getting a new event channel port.\nA privileged guest user could use this flaw to cause a denial of\nservice or escalate their privileges. (CVE-2011-1763, Moderate)\n\n* The start_code and end_code values in '/proc/[pid]/stat' were not\nprotected. In certain scenarios, this flaw could be used to defeat\nAddress Space Layout Randomization (ASLR). (CVE-2011-0726, Low)\n\n* A missing initialization flaw in the sco_sock_getsockopt() function\ncould allow a local, unprivileged user to cause an information leak.\n(CVE-2011-1078, Low)\n\n* A missing validation of a null-terminated string data structure\nelement in the do_replace() function could allow a local user who has\nthe CAP_NET_ADMIN capability to cause an information leak.\n(CVE-2011-1080, Low)\n\n* A buffer overflow flaw in the DEC Alpha OSF partition implementation\nin the Linux kernel could allow a local attacker to cause an\ninformation leak by mounting a disk that contains specially crafted\npartition tables. (CVE-2011-1163, Low)\n\n* Missing validations of null-terminated string data structure\nelements in the do_replace(), compat_do_replace(), do_ipt_get_ctl(),\ndo_ip6t_get_ctl(), and do_arpt_get_ctl() functions could allow a local\nuser who has the CAP_NET_ADMIN capability to cause an information\nleak. (CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, Low)\n\n* A heap overflow flaw in the Linux kernel's EFI GUID Partition Table\n(GPT) implementation could allow a local attacker to cause a denial of\nservice by mounting a disk that contains specially crafted partition\ntables. (CVE-2011-1577, Low)\n\nRed Hat would like to thank Dan Rosenberg for reporting CVE-2011-1494\nand CVE-2011-1495; Vasiliy Kulikov for reporting CVE-2011-1079,\nCVE-2011-1078, CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, and\nCVE-2011-1172; Kees Cook for reporting CVE-2011-0726; and Timo Warns\nfor reporting CVE-2011-1163 and CVE-2011-1577.\n\nThis update also fixes several bugs. Documentation for these bug fixes\nwill be available shortly from the Technical Notes document linked to\nin the References section.\n\nUsers should upgrade to these updated packages, which contain\nbackported patches to correct these issues, and fix the bugs noted in\nthe Technical Notes. The system must be rebooted for this update to\ntake effect.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2011-May/017609.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2ad5c8d8\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2011-May/017610.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d109830b\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-PAE\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-PAE-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/04/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/05/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/06/29\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 5.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-5\", reference:\"kernel-2.6.18-238.12.1.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", cpu:\"i386\", reference:\"kernel-PAE-2.6.18-238.12.1.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", cpu:\"i386\", reference:\"kernel-PAE-devel-2.6.18-238.12.1.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"kernel-debug-2.6.18-238.12.1.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"kernel-debug-devel-2.6.18-238.12.1.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"kernel-devel-2.6.18-238.12.1.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"kernel-doc-2.6.18-238.12.1.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"kernel-headers-2.6.18-238.12.1.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"kernel-xen-2.6.18-238.12.1.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"kernel-xen-devel-2.6.18-238.12.1.el5\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-PAE / kernel-PAE-devel / kernel-debug / etc\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-01-17T14:21:26", "description": "Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nThis update fixes the following security issues :\n\n* A flaw in the dccp_rcv_state_process() function could allow a remote attacker to cause a denial of service, even when the socket was already closed. (CVE-2011-1093, Important)\n\n* Multiple buffer overflow flaws were found in the Linux kernel's Management Module Support for Message Passing Technology (MPT) based controllers. A local, unprivileged user could use these flaws to cause a denial of service, an information leak, or escalate their privileges. (CVE-2011-1494, CVE-2011-1495, Important)\n\n* A missing validation of a null-terminated string data structure element in the bnep_sock_ioctl() function could allow a local user to cause an information leak or a denial of service. (CVE-2011-1079, Moderate)\n\n* Missing error checking in the way page tables were handled in the Xen hypervisor implementation could allow a privileged guest user to cause the host, and the guests, to lock up. (CVE-2011-1166, Moderate)\n\n* A flaw was found in the way the Xen hypervisor implementation checked for the upper boundary when getting a new event channel port.\nA privileged guest user could use this flaw to cause a denial of service or escalate their privileges. (CVE-2011-1763, Moderate)\n\n* The start_code and end_code values in '/proc/[pid]/stat' were not protected. In certain scenarios, this flaw could be used to defeat Address Space Layout Randomization (ASLR). (CVE-2011-0726, Low)\n\n* A missing initialization flaw in the sco_sock_getsockopt() function could allow a local, unprivileged user to cause an information leak.\n(CVE-2011-1078, Low)\n\n* A missing validation of a null-terminated string data structure element in the do_replace() function could allow a local user who has the CAP_NET_ADMIN capability to cause an information leak.\n(CVE-2011-1080, Low)\n\n* A buffer overflow flaw in the DEC Alpha OSF partition implementation in the Linux kernel could allow a local attacker to cause an information leak by mounting a disk that contains specially crafted partition tables. (CVE-2011-1163, Low)\n\n* Missing validations of null-terminated string data structure elements in the do_replace(), compat_do_replace(), do_ipt_get_ctl(), do_ip6t_get_ctl(), and do_arpt_get_ctl() functions could allow a local user who has the CAP_NET_ADMIN capability to cause an information leak. (CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, Low)\n\n* A heap overflow flaw in the Linux kernel's EFI GUID Partition Table (GPT) implementation could allow a local attacker to cause a denial of service by mounting a disk that contains specially crafted partition tables. (CVE-2011-1577, Low)\n\nRed Hat would like to thank Dan Rosenberg for reporting CVE-2011-1494 and CVE-2011-1495; Vasiliy Kulikov for reporting CVE-2011-1079, CVE-2011-1078, CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, and CVE-2011-1172; Kees Cook for reporting CVE-2011-0726; and Timo Warns for reporting CVE-2011-1163 and CVE-2011-1577.\n\nThis update also fixes several bugs. Documentation for these bug fixes will be available shortly from the Technical Notes document linked to in the References section.\n\nUsers should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect.", "cvss3": {}, "published": "2011-06-01T00:00:00", "type": "nessus", "title": "RHEL 5 : kernel (RHSA-2011:0833)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-0726", "CVE-2011-1078", "CVE-2011-1079", "CVE-2011-1080", "CVE-2011-1093", "CVE-2011-1163", "CVE-2011-1166", "CVE-2011-1170", "CVE-2011-1171", "CVE-2011-1172", "CVE-2011-1494", "CVE-2011-1495", "CVE-2011-1577", "CVE-2011-1763"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:kernel", "p-cpe:/a:redhat:enterprise_linux:kernel-PAE", "p-cpe:/a:redhat:enterprise_linux:kernel-PAE-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-debug", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-doc", "p-cpe:/a:redhat:enterprise_linux:kernel-headers", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-xen", "p-cpe:/a:redhat:enterprise_linux:kernel-xen-devel", "cpe:/o:redhat:enterprise_linux:5", "cpe:/o:redhat:enterprise_linux:5.6"], "id": "REDHAT-RHSA-2011-0833.NASL", "href": "https://www.tenable.com/plugins/nessus/54925", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2011:0833. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(54925);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2011-0726\", \"CVE-2011-1078\", \"CVE-2011-1079\", \"CVE-2011-1080\", \"CVE-2011-1093\", \"CVE-2011-1163\", \"CVE-2011-1166\", \"CVE-2011-1170\", \"CVE-2011-1171\", \"CVE-2011-1172\", \"CVE-2011-1494\", \"CVE-2011-1495\", \"CVE-2011-1577\", \"CVE-2011-1763\");\n script_bugtraq_id(46616, 46793, 46878, 46919, 47185, 47343, 47791, 48048);\n script_xref(name:\"RHSA\", value:\"2011:0833\");\n\n script_name(english:\"RHEL 5 : kernel (RHSA-2011:0833)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated kernel packages that fix multiple security issues and several\nbugs are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nThis update fixes the following security issues :\n\n* A flaw in the dccp_rcv_state_process() function could allow a remote\nattacker to cause a denial of service, even when the socket was\nalready closed. (CVE-2011-1093, Important)\n\n* Multiple buffer overflow flaws were found in the Linux kernel's\nManagement Module Support for Message Passing Technology (MPT) based\ncontrollers. A local, unprivileged user could use these flaws to cause\na denial of service, an information leak, or escalate their\nprivileges. (CVE-2011-1494, CVE-2011-1495, Important)\n\n* A missing validation of a null-terminated string data structure\nelement in the bnep_sock_ioctl() function could allow a local user to\ncause an information leak or a denial of service. (CVE-2011-1079,\nModerate)\n\n* Missing error checking in the way page tables were handled in the\nXen hypervisor implementation could allow a privileged guest user to\ncause the host, and the guests, to lock up. (CVE-2011-1166, Moderate)\n\n* A flaw was found in the way the Xen hypervisor implementation\nchecked for the upper boundary when getting a new event channel port.\nA privileged guest user could use this flaw to cause a denial of\nservice or escalate their privileges. (CVE-2011-1763, Moderate)\n\n* The start_code and end_code values in '/proc/[pid]/stat' were not\nprotected. In certain scenarios, this flaw could be used to defeat\nAddress Space Layout Randomization (ASLR). (CVE-2011-0726, Low)\n\n* A missing initialization flaw in the sco_sock_getsockopt() function\ncould allow a local, unprivileged user to cause an information leak.\n(CVE-2011-1078, Low)\n\n* A missing validation of a null-terminated string data structure\nelement in the do_replace() function could allow a local user who has\nthe CAP_NET_ADMIN capability to cause an information leak.\n(CVE-2011-1080, Low)\n\n* A buffer overflow flaw in the DEC Alpha OSF partition implementation\nin the Linux kernel could allow a local attacker to cause an\ninformation leak by mounting a disk that contains specially crafted\npartition tables. (CVE-2011-1163, Low)\n\n* Missing validations of null-terminated string data structure\nelements in the do_replace(), compat_do_replace(), do_ipt_get_ctl(),\ndo_ip6t_get_ctl(), and do_arpt_get_ctl() functions could allow a local\nuser who has the CAP_NET_ADMIN capability to cause an information\nleak. (CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, Low)\n\n* A heap overflow flaw in the Linux kernel's EFI GUID Partition Table\n(GPT) implementation could allow a local attacker to cause a denial of\nservice by mounting a disk that contains specially crafted partition\ntables. (CVE-2011-1577, Low)\n\nRed Hat would like to thank Dan Rosenberg for reporting CVE-2011-1494\nand CVE-2011-1495; Vasiliy Kulikov for reporting CVE-2011-1079,\nCVE-2011-1078, CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, and\nCVE-2011-1172; Kees Cook for reporting CVE-2011-0726; and Timo Warns\nfor reporting CVE-2011-1163 and CVE-2011-1577.\n\nThis update also fixes several bugs. Documentation for these bug fixes\nwill be available shortly from the Technical Notes document linked to\nin the References section.\n\nUsers should upgrade to these updated packages, which contain\nbackported patches to correct these issues, and fix the bugs noted in\nthe Technical Notes. The system must be rebooted for this update to\ntake effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-0726\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-1078\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-1079\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-1080\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-1093\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-1163\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-1166\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-1170\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-1171\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-1172\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-1494\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-1495\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-1577\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-1763\"\n );\n # http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?056c0c27\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2011:0833\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-PAE\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-PAE-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/04/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/05/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/06/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2011-0726\", \"CVE-2011-1078\", \"CVE-2011-1079\", \"CVE-2011-1080\", \"CVE-2011-1093\", \"CVE-2011-1163\", \"CVE-2011-1166\", \"CVE-2011-1170\", \"CVE-2011-1171\", \"CVE-2011-1172\", \"CVE-2011-1494\", \"CVE-2011-1495\", \"CVE-2011-1577\", \"CVE-2011-1763\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for RHSA-2011:0833\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2011:0833\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", cpu:\"i686\", reference:\"kernel-2.6.18-238.12.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"kernel-2.6.18-238.12.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"kernel-2.6.18-238.12.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i686\", reference:\"kernel-PAE-2.6.18-238.12.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i686\", reference:\"kernel-PAE-devel-2.6.18-238.12.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i686\", reference:\"kernel-debug-2.6.18-238.12.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"kernel-debug-2.6.18-238.12.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"kernel-debug-2.6.18-238.12.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i686\", reference:\"kernel-debug-devel-2.6.18-238.12.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"kernel-debug-devel-2.6.18-238.12.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"kernel-debug-devel-2.6.18-238.12.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i686\", reference:\"kernel-devel-2.6.18-238.12.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"kernel-devel-2.6.18-238.12.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"kernel-devel-2.6.18-238.12.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", reference:\"kernel-doc-2.6.18-238.12.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"kernel-headers-2.6.18-238.12.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"kernel-headers-2.6.18-238.12.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"kernel-headers-2.6.18-238.12.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"kernel-kdump-2.6.18-238.12.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"kernel-kdump-devel-2.6.18-238.12.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i686\", reference:\"kernel-xen-2.6.18-238.12.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"kernel-xen-2.6.18-238.12.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i686\", reference:\"kernel-xen-devel-2.6.18-238.12.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"kernel-xen-devel-2.6.18-238.12.1.el5\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-PAE / kernel-PAE-devel / kernel-debug / etc\");\n }\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-01-17T14:25:37", "description": "From Red Hat Security Advisory 2011:0833 :\n\nUpdated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nThis update fixes the following security issues :\n\n* A flaw in the dccp_rcv_state_process() function could allow a remote attacker to cause a denial of service, even when the socket was already closed. (CVE-2011-1093, Important)\n\n* Multiple buffer overflow flaws were found in the Linux kernel's Management Module Support for Message Passing Technology (MPT) based controllers. A local, unprivileged user could use these flaws to cause a denial of service, an information leak, or escalate their privileges. (CVE-2011-1494, CVE-2011-1495, Important)\n\n* A missing validation of a null-terminated string data structure element in the bnep_sock_ioctl() function could allow a local user to cause an information leak or a denial of service. (CVE-2011-1079, Moderate)\n\n* Missing error checking in the way page tables were handled in the Xen hypervisor implementation could allow a privileged guest user to cause the host, and the guests, to lock up. (CVE-2011-1166, Moderate)\n\n* A flaw was found in the way the Xen hypervisor implementation checked for the upper boundary when getting a new event channel port.\nA privileged guest user could use this flaw to cause a denial of service or escalate their privileges. (CVE-2011-1763, Moderate)\n\n* The start_code and end_code values in '/proc/[pid]/stat' were not protected. In certain scenarios, this flaw could be used to defeat Address Space Layout Randomization (ASLR). (CVE-2011-0726, Low)\n\n* A missing initialization flaw in the sco_sock_getsockopt() function could allow a local, unprivileged user to cause an information leak.\n(CVE-2011-1078, Low)\n\n* A missing validation of a null-terminated string data structure element in the do_replace() function could allow a local user who has the CAP_NET_ADMIN capability to cause an information leak.\n(CVE-2011-1080, Low)\n\n* A buffer overflow flaw in the DEC Alpha OSF partition implementation in the Linux kernel could allow a local attacker to cause an information leak by mounting a disk that contains specially crafted partition tables. (CVE-2011-1163, Low)\n\n* Missing validations of null-terminated string data structure elements in the do_replace(), compat_do_replace(), do_ipt_get_ctl(), do_ip6t_get_ctl(), and do_arpt_get_ctl() functions could allow a local user who has the CAP_NET_ADMIN capability to cause an information leak. (CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, Low)\n\n* A heap overflow flaw in the Linux kernel's EFI GUID Partition Table (GPT) implementation could allow a local attacker to cause a denial of service by mounting a disk that contains specially crafted partition tables. (CVE-2011-1577, Low)\n\nRed Hat would like to thank Dan Rosenberg for reporting CVE-2011-1494 and CVE-2011-1495; Vasiliy Kulikov for reporting CVE-2011-1079, CVE-2011-1078, CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, and CVE-2011-1172; Kees Cook for reporting CVE-2011-0726; and Timo Warns for reporting CVE-2011-1163 and CVE-2011-1577.\n\nThis update also fixes several bugs. Documentation for these bug fixes will be available shortly from the Technical Notes document linked to in the References section.\n\nUsers should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect.", "cvss3": {}, "published": "2013-07-12T00:00:00", "type": "nessus", "title": "Oracle Linux 5 : kernel (ELSA-2011-0833)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-0726", "CVE-2011-1078", "CVE-2011-1079", "CVE-2011-1080", "CVE-2011-1093", "CVE-2011-1163", "CVE-2011-1166", "CVE-2011-1170", "CVE-2011-1171", "CVE-2011-1172", "CVE-2011-1494", "CVE-2011-1495", "CVE-2011-1577", "CVE-2011-1763"], "modified": "2021-08-24T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:kernel", "p-cpe:/a:oracle:linux:kernel-PAE", "p-cpe:/a:oracle:linux:kernel-PAE-devel", "p-cpe:/a:oracle:linux:kernel-debug", "p-cpe:/a:oracle:linux:kernel-debug-devel", "p-cpe:/a:oracle:linux:kernel-devel", "p-cpe:/a:oracle:linux:kernel-doc", "p-cpe:/a:oracle:linux:kernel-headers", "p-cpe:/a:oracle:linux:kernel-xen", "p-cpe:/a:oracle:linux:kernel-xen-devel", "cpe:/o:oracle:linux:5"], "id": "ORACLELINUX_ELSA-2011-0833.NASL", "href": "https://www.tenable.com/plugins/nessus/68276", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2011:0833 and \n# Oracle Linux Security Advisory ELSA-2011-0833 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(68276);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/08/24\");\n\n script_cve_id(\"CVE-2011-0726\", \"CVE-2011-1078\", \"CVE-2011-1079\", \"CVE-2011-1080\", \"CVE-2011-1093\", \"CVE-2011-1163\", \"CVE-2011-1166\", \"CVE-2011-1170\", \"CVE-2011-1171\", \"CVE-2011-1172\", \"CVE-2011-1494\", \"CVE-2011-1495\", \"CVE-2011-1577\", \"CVE-2011-1763\");\n script_bugtraq_id(46616, 46793, 46878, 46919, 47185, 47343, 47791, 48048);\n script_xref(name:\"RHSA\", value:\"2011:0833\");\n\n script_name(english:\"Oracle Linux 5 : kernel (ELSA-2011-0833)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2011:0833 :\n\nUpdated kernel packages that fix multiple security issues and several\nbugs are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nThis update fixes the following security issues :\n\n* A flaw in the dccp_rcv_state_process() function could allow a remote\nattacker to cause a denial of service, even when the socket was\nalready closed. (CVE-2011-1093, Important)\n\n* Multiple buffer overflow flaws were found in the Linux kernel's\nManagement Module Support for Message Passing Technology (MPT) based\ncontrollers. A local, unprivileged user could use these flaws to cause\na denial of service, an information leak, or escalate their\nprivileges. (CVE-2011-1494, CVE-2011-1495, Important)\n\n* A missing validation of a null-terminated string data structure\nelement in the bnep_sock_ioctl() function could allow a local user to\ncause an information leak or a denial of service. (CVE-2011-1079,\nModerate)\n\n* Missing error checking in the way page tables were handled in the\nXen hypervisor implementation could allow a privileged guest user to\ncause the host, and the guests, to lock up. (CVE-2011-1166, Moderate)\n\n* A flaw was found in the way the Xen hypervisor implementation\nchecked for the upper boundary when getting a new event channel port.\nA privileged guest user could use this flaw to cause a denial of\nservice or escalate their privileges. (CVE-2011-1763, Moderate)\n\n* The start_code and end_code values in '/proc/[pid]/stat' were not\nprotected. In certain scenarios, this flaw could be used to defeat\nAddress Space Layout Randomization (ASLR). (CVE-2011-0726, Low)\n\n* A missing initialization flaw in the sco_sock_getsockopt() function\ncould allow a local, unprivileged user to cause an information leak.\n(CVE-2011-1078, Low)\n\n* A missing validation of a null-terminated string data structure\nelement in the do_replace() function could allow a local user who has\nthe CAP_NET_ADMIN capability to cause an information leak.\n(CVE-2011-1080, Low)\n\n* A buffer overflow flaw in the DEC Alpha OSF partition implementation\nin the Linux kernel could allow a local attacker to cause an\ninformation leak by mounting a disk that contains specially crafted\npartition tables. (CVE-2011-1163, Low)\n\n* Missing validations of null-terminated string data structure\nelements in the do_replace(), compat_do_replace(), do_ipt_get_ctl(),\ndo_ip6t_get_ctl(), and do_arpt_get_ctl() functions could allow a local\nuser who has the CAP_NET_ADMIN capability to cause an information\nleak. (CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, Low)\n\n* A heap overflow flaw in the Linux kernel's EFI GUID Partition Table\n(GPT) implementation could allow a local attacker to cause a denial of\nservice by mounting a disk that contains specially crafted partition\ntables. (CVE-2011-1577, Low)\n\nRed Hat would like to thank Dan Rosenberg for reporting CVE-2011-1494\nand CVE-2011-1495; Vasiliy Kulikov for reporting CVE-2011-1079,\nCVE-2011-1078, CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, and\nCVE-2011-1172; Kees Cook for reporting CVE-2011-0726; and Timo Warns\nfor reporting CVE-2011-1163 and CVE-2011-1577.\n\nThis update also fixes several bugs. Documentation for these bug fixes\nwill be available shortly from the Technical Notes document linked to\nin the References section.\n\nUsers should upgrade to these updated packages, which contain\nbackported patches to correct these issues, and fix the bugs noted in\nthe Technical Notes. The system must be rebooted for this update to\ntake effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2011-June/002158.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-PAE\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-PAE-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/04/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/06/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n cve_list = make_list(\"CVE-2011-0726\", \"CVE-2011-1078\", \"CVE-2011-1079\", \"CVE-2011-1080\", \"CVE-2011-1093\", \"CVE-2011-1163\", \"CVE-2011-1166\", \"CVE-2011-1170\", \"CVE-2011-1171\", \"CVE-2011-1172\", \"CVE-2011-1494\", \"CVE-2011-1495\", \"CVE-2011-1577\", \"CVE-2011-1763\"); \n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for ELSA-2011-0833\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nkernel_major_minor = get_kb_item(\"Host/uname/major_minor\");\nif (empty_or_null(kernel_major_minor)) exit(1, \"Unable to determine kernel major-minor level.\");\nexpected_kernel_major_minor = \"2.6\";\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, \"running kernel level \" + expected_kernel_major_minor + \", it is running kernel level \" + kernel_major_minor);\n\nflag = 0;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-2.6.18\") && rpm_check(release:\"EL5\", reference:\"kernel-2.6.18-238.12.1.0.1.el5\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-PAE-2.6.18\") && rpm_check(release:\"EL5\", cpu:\"i386\", reference:\"kernel-PAE-2.6.18-238.12.1.0.1.el5\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-PAE-devel-2.6.18\") && rpm_check(release:\"EL5\", cpu:\"i386\", reference:\"kernel-PAE-devel-2.6.18-238.12.1.0.1.el5\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-debug-2.6.18\") && rpm_check(release:\"EL5\", reference:\"kernel-debug-2.6.18-238.12.1.0.1.el5\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-debug-devel-2.6.18\") && rpm_check(release:\"EL5\", reference:\"kernel-debug-devel-2.6.18-238.12.1.0.1.el5\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-devel-2.6.18\") && rpm_check(release:\"EL5\", reference:\"kernel-devel-2.6.18-238.12.1.0.1.el5\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-doc-2.6.18\") && rpm_check(release:\"EL5\", reference:\"kernel-doc-2.6.18-238.12.1.0.1.el5\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-headers-2.6.18\") && rpm_check(release:\"EL5\", reference:\"kernel-headers-2.6.18-238.12.1.0.1.el5\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-xen-2.6.18\") && rpm_check(release:\"EL5\", reference:\"kernel-xen-2.6.18-238.12.1.0.1.el5\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-xen-devel-2.6.18\") && rpm_check(release:\"EL5\", reference:\"kernel-xen-devel-2.6.18-238.12.1.0.1.el5\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"affected kernel\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-01-11T14:26:09", "description": "Stable update 2.6.34.8, extra bug fixes, some basic hardware backports for Intel Sandy Bridge upon request. Update to kernel 2.6.34.8:\nhttp://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.34/ChangeLog\n-2.6.34.8\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2011-03-08T00:00:00", "type": "nessus", "title": "Fedora 13 : kernel-2.6.34.8-68.fc13 (2011-2134)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4163", "CVE-2010-4165", "CVE-2010-4346", "CVE-2010-4648", "CVE-2010-4649", "CVE-2010-4650", "CVE-2010-4668", "CVE-2011-0006", "CVE-2011-0521", "CVE-2011-1044"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:kernel", "cpe:/o:fedoraproject:fedora:13"], "id": "FEDORA_2011-2134.NASL", "href": "https://www.tenable.com/plugins/nessus/52571", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2011-2134.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(52571);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2010-4163\", \"CVE-2010-4165\", \"CVE-2010-4346\", \"CVE-2010-4648\", \"CVE-2010-4649\", \"CVE-2010-4650\", \"CVE-2010-4668\", \"CVE-2011-0006\", \"CVE-2011-0521\", \"CVE-2011-1044\");\n script_bugtraq_id(44793, 44830, 45323, 45660, 45986, 46073, 46322, 46323, 46488);\n script_xref(name:\"FEDORA\", value:\"2011-2134\");\n\n script_name(english:\"Fedora 13 : kernel-2.6.34.8-68.fc13 (2011-2134)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Stable update 2.6.34.8, extra bug fixes, some basic hardware backports\nfor Intel Sandy Bridge upon request. Update to kernel 2.6.34.8:\nhttp://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.34/ChangeLog\n-2.6.34.8\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.34/ChangeLog-2.6.34.8\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f290312c\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=652508\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=652957\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=662189\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=667892\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=667907\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=667912\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=667916\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=672398\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2011-March/055238.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?bda7c3b9\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:13\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/02/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/03/08\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^13([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 13.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC13\", reference:\"kernel-2.6.34.8-68.fc13\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:50:38", "description": "From Red Hat Security Advisory 2011:0927 :\n\nUpdated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nThis update fixes the following security issues :\n\n* An integer overflow flaw in ib_uverbs_poll_cq() could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2010-4649, Important)\n\n* A race condition in the way new InfiniBand connections were set up could allow a remote user to cause a denial of service.\n(CVE-2011-0695, Important)\n\n* A flaw in the Stream Control Transmission Protocol (SCTP) implementation could allow a remote attacker to cause a denial of service if the sysctl 'net.sctp.addip_enable' variable was turned on (it is off by default). (CVE-2011-1573, Important)\n\n* Flaws in the AGPGART driver implementation when handling certain IOCTL commands could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2011-1745, CVE-2011-2022, Important)\n\n* An integer overflow flaw in agp_allocate_memory() could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2011-1746, Important)\n\n* A flaw allowed napi_reuse_skb() to be called on VLAN (virtual LAN) packets. An attacker on the local network could trigger this flaw by sending specially crafted packets to a target system, possibly causing a denial of service. (CVE-2011-1576, Moderate)\n\n* An integer signedness error in next_pidmap() could allow a local, unprivileged user to cause a denial of service. (CVE-2011-1593, Moderate)\n\n* A flaw in the way the Xen hypervisor implementation handled CPUID instruction emulation during virtual machine exits could allow an unprivileged guest user to crash a guest. This only affects systems that have an Intel x86 processor with the Intel VT-x extension enabled. (CVE-2011-1936, Moderate)\n\n* A flaw in inet_diag_bc_audit() could allow a local, unprivileged user to cause a denial of service (infinite loop). (CVE-2011-2213, Moderate)\n\n* A missing initialization flaw in the XFS file system implementation could lead to an information leak. (CVE-2011-0711, Low)\n\n* A flaw in ib_uverbs_poll_cq() could allow a local, unprivileged user to cause an information leak. (CVE-2011-1044, Low)\n\n* A missing validation check was found in the signals implementation.\nA local, unprivileged user could use this flaw to send signals via the sigqueueinfo system call, with the si_code set to SI_TKILL and with spoofed process and user IDs, to other processes. Note: This flaw does not allow existing permission checks to be bypassed; signals can only be sent if your privileges allow you to already do so. (CVE-2011-1182, Low)\n\n* A heap overflow flaw in the EFI GUID Partition Table (GPT) implementation could allow a local attacker to cause a denial of service by mounting a disk containing specially crafted partition tables. (CVE-2011-1776, Low)\n\n* Structure padding in two structures in the Bluetooth implementation was not initialized properly before being copied to user-space, possibly allowing local, unprivileged users to leak kernel stack memory to user-space. (CVE-2011-2492, Low)\n\nRed Hat would like to thank Jens Kuehnel for reporting CVE-2011-0695;\nVasiliy Kulikov for reporting CVE-2011-1745, CVE-2011-2022, and CVE-2011-1746; Ryan Sweat for reporting CVE-2011-1576; Robert Swiecki for reporting CVE-2011-1593; Dan Rosenberg for reporting CVE-2011-2213 and CVE-2011-0711; Julien Tinnes of the Google Security Team for reporting CVE-2011-1182; Timo Warns for reporting CVE-2011-1776; and Marek Kroemeke and Filip Palian for reporting CVE-2011-2492.\n\nBug fix documentation will be available shortly from the Technical Notes document linked to in the References.\n\nUsers should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect.", "cvss3": {"exploitabilityScore": 0.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2013-07-12T00:00:00", "type": "nessus", "title": "Oracle Linux 5 : kernel (ELSA-2011-0927)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4649", "CVE-2011-0695", "CVE-2011-0711", "CVE-2011-1044", "CVE-2011-1182", "CVE-2011-1573", "CVE-2011-1576", "CVE-2011-1593", "CVE-2011-1745", "CVE-2011-1746", "CVE-2011-1776", "CVE-2011-1936", "CVE-2011-2022", "CVE-2011-2213", "CVE-2011-2492"], "modified": "2021-08-24T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:kernel", "p-cpe:/a:oracle:linux:kernel-PAE", "p-cpe:/a:oracle:linux:kernel-PAE-devel", "p-cpe:/a:oracle:linux:kernel-debug", "p-cpe:/a:oracle:linux:kernel-debug-devel", "p-cpe:/a:oracle:linux:kernel-devel", "p-cpe:/a:oracle:linux:kernel-doc", "p-cpe:/a:oracle:linux:kernel-headers", "p-cpe:/a:oracle:linux:kernel-xen", "p-cpe:/a:oracle:linux:kernel-xen-devel", "cpe:/o:oracle:linux:5"], "id": "ORACLELINUX_ELSA-2011-0927.NASL", "href": "https://www.tenable.com/plugins/nessus/68304", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2011:0927 and \n# Oracle Linux Security Advisory ELSA-2011-0927 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(68304);\n script_version(\"1.21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/08/24\");\n\n script_cve_id(\"CVE-2010-4649\", \"CVE-2011-0695\", \"CVE-2011-0711\", \"CVE-2011-1044\", \"CVE-2011-1182\", \"CVE-2011-1573\", \"CVE-2011-1576\", \"CVE-2011-1593\", \"CVE-2011-1745\", \"CVE-2011-1746\", \"CVE-2011-1776\", \"CVE-2011-1936\", \"CVE-2011-2022\", \"CVE-2011-2213\", \"CVE-2011-2492\");\n script_bugtraq_id(46073, 46417, 46488, 46839, 47003, 47308, 47497, 47534, 47535, 47796, 47843, 48333, 48441, 48610);\n script_xref(name:\"RHSA\", value:\"2011:0927\");\n\n script_name(english:\"Oracle Linux 5 : kernel (ELSA-2011-0927)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2011:0927 :\n\nUpdated kernel packages that fix multiple security issues and several\nbugs are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nThis update fixes the following security issues :\n\n* An integer overflow flaw in ib_uverbs_poll_cq() could allow a local,\nunprivileged user to cause a denial of service or escalate their\nprivileges. (CVE-2010-4649, Important)\n\n* A race condition in the way new InfiniBand connections were set up\ncould allow a remote user to cause a denial of service.\n(CVE-2011-0695, Important)\n\n* A flaw in the Stream Control Transmission Protocol (SCTP)\nimplementation could allow a remote attacker to cause a denial of\nservice if the sysctl 'net.sctp.addip_enable' variable was turned on\n(it is off by default). (CVE-2011-1573, Important)\n\n* Flaws in the AGPGART driver implementation when handling certain\nIOCTL commands could allow a local, unprivileged user to cause a\ndenial of service or escalate their privileges. (CVE-2011-1745,\nCVE-2011-2022, Important)\n\n* An integer overflow flaw in agp_allocate_memory() could allow a\nlocal, unprivileged user to cause a denial of service or escalate\ntheir privileges. (CVE-2011-1746, Important)\n\n* A flaw allowed napi_reuse_skb() to be called on VLAN (virtual LAN)\npackets. An attacker on the local network could trigger this flaw by\nsending specially crafted packets to a target system, possibly causing\na denial of service. (CVE-2011-1576, Moderate)\n\n* An integer signedness error in next_pidmap() could allow a local,\nunprivileged user to cause a denial of service. (CVE-2011-1593,\nModerate)\n\n* A flaw in the way the Xen hypervisor implementation handled CPUID\ninstruction emulation during virtual machine exits could allow an\nunprivileged guest user to crash a guest. This only affects systems\nthat have an Intel x86 processor with the Intel VT-x extension\nenabled. (CVE-2011-1936, Moderate)\n\n* A flaw in inet_diag_bc_audit() could allow a local, unprivileged\nuser to cause a denial of service (infinite loop). (CVE-2011-2213,\nModerate)\n\n* A missing initialization flaw in the XFS file system implementation\ncould lead to an information leak. (CVE-2011-0711, Low)\n\n* A flaw in ib_uverbs_poll_cq() could allow a local, unprivileged user\nto cause an information leak. (CVE-2011-1044, Low)\n\n* A missing validation check was found in the signals implementation.\nA local, unprivileged user could use this flaw to send signals via the\nsigqueueinfo system call, with the si_code set to SI_TKILL and with\nspoofed process and user IDs, to other processes. Note: This flaw does\nnot allow existing permission checks to be bypassed; signals can only\nbe sent if your privileges allow you to already do so. (CVE-2011-1182,\nLow)\n\n* A heap overflow flaw in the EFI GUID Partition Table (GPT)\nimplementation could allow a local attacker to cause a denial of\nservice by mounting a disk containing specially crafted partition\ntables. (CVE-2011-1776, Low)\n\n* Structure padding in two structures in the Bluetooth implementation\nwas not initialized properly before being copied to user-space,\npossibly allowing local, unprivileged users to leak kernel stack\nmemory to user-space. (CVE-2011-2492, Low)\n\nRed Hat would like to thank Jens Kuehnel for reporting CVE-2011-0695;\nVasiliy Kulikov for reporting CVE-2011-1745, CVE-2011-2022, and\nCVE-2011-1746; Ryan Sweat for reporting CVE-2011-1576; Robert Swiecki\nfor reporting CVE-2011-1593; Dan Rosenberg for reporting CVE-2011-2213\nand CVE-2011-0711; Julien Tinnes of the Google Security Team for\nreporting CVE-2011-1182; Timo Warns for reporting CVE-2011-1776; and\nMarek Kroemeke and Filip Palian for reporting CVE-2011-2492.\n\nBug fix documentation will be available shortly from the Technical\nNotes document linked to in the References.\n\nUsers should upgrade to these updated packages, which contain\nbackported patches to correct these issues, and fix the bugs noted in\nthe Technical Notes. The system must be rebooted for this update to\ntake effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2011-July/002231.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-PAE\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-PAE-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/02/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/07/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n cve_list = make_list(\"CVE-2010-4649\", \"CVE-2011-0695\", \"CVE-2011-0711\", \"CVE-2011-1044\", \"CVE-2011-1182\", \"CVE-2011-1573\", \"CVE-2011-1576\", \"CVE-2011-1593\", \"CVE-2011-1745\", \"CVE-2011-1746\", \"CVE-2011-1776\", \"CVE-2011-1936\", \"CVE-2011-2022\", \"CVE-2011-2213\", \"CVE-2011-2492\"); \n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for ELSA-2011-0927\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nkernel_major_minor = get_kb_item(\"Host/uname/major_minor\");\nif (empty_or_null(kernel_major_minor)) exit(1, \"Unable to determine kernel major-minor level.\");\nexpected_kernel_major_minor = \"2.6\";\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, \"running kernel level \" + expected_kernel_major_minor + \", it is running kernel level \" + kernel_major_minor);\n\nflag = 0;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-2.6.18\") && rpm_check(release:\"EL5\", reference:\"kernel-2.6.18-238.19.1.0.1.el5\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-PAE-2.6.18\") && rpm_check(release:\"EL5\", cpu:\"i386\", reference:\"kernel-PAE-2.6.18-238.19.1.0.1.el5\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-PAE-devel-2.6.18\") && rpm_check(release:\"EL5\", cpu:\"i386\", reference:\"kernel-PAE-devel-2.6.18-238.19.1.0.1.el5\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-debug-2.6.18\") && rpm_check(release:\"EL5\", reference:\"kernel-debug-2.6.18-238.19.1.0.1.el5\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-debug-devel-2.6.18\") && rpm_check(release:\"EL5\", reference:\"kernel-debug-devel-2.6.18-238.19.1.0.1.el5\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-devel-2.6.18\") && rpm_check(release:\"EL5\", reference:\"kernel-devel-2.6.18-238.19.1.0.1.el5\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-doc-2.6.18\") && rpm_check(release:\"EL5\", reference:\"kernel-doc-2.6.18-238.19.1.0.1.el5\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-headers-2.6.18\") && rpm_check(release:\"EL5\", reference:\"kernel-headers-2.6.18-238.19.1.0.1.el5\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-xen-2.6.18\") && rpm_check(release:\"EL5\", reference:\"kernel-xen-2.6.18-238.19.1.0.1.el5\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-xen-devel-2.6.18\") && rpm_check(release:\"EL5\", reference:\"kernel-xen-devel-2.6.18-238.19.1.0.1.el5\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"affected kernel\");\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:26:53", "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nThis update fixes the following security issues :\n\n - An integer overflow flaw in ib_uverbs_poll_cq() could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2010-4649, Important)\n\n - A race condition in the way new InfiniBand connections were set up could allow a remote user to cause a denial of service. (CVE-2011-0695, Important)\n\n - A flaw in the Stream Control Transmission Protocol (SCTP) implementation could allow a remote attacker to cause a denial of service if the sysctl 'net.sctp.addip_enable' variable was turned on (it is off by default). (CVE-2011-1573, Important)\n\n - Flaws in the AGPGART driver implementation when handling certain IOCTL commands could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2011-1745, CVE-2011-2022, Important)\n\n - An integer overflow flaw in agp_allocate_memory() could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2011-1746, Important)\n\n - A flaw allowed napi_reuse_skb() to be called on VLAN (virtual LAN) packets. An attacker on the local network could trigger this flaw by sending specially crafted packets to a target system, possibly causing a denial of service. (CVE-2011-1576, Moderate)\n\n - An integer signedness error in next_pidmap() could allow a local, unprivileged user to cause a denial of service.\n (CVE-2011-1593, Moderate)\n\n - A flaw in the way the Xen hypervisor implementation handled CPUID instruction emulation during virtual machine exits could allow an unprivileged guest user to crash a guest. This only affects systems that have an Intel x86 processor with the Intel VT-x extension enabled. (CVE-2011-1936, Moderate)\n\n - A flaw in inet_diag_bc_audit() could allow a local, unprivileged user to cause a denial of service (infinite loop). (CVE-2011-2213, Moderate)\n\n - A missing initialization flaw in the XFS file system implementation could lead to an information leak.\n (CVE-2011-0711, Low)\n\n - A flaw in ib_uverbs_poll_cq() could allow a local, unprivileged user to cause an information leak.\n (CVE-2011-1044, Low)\n\n - A missing validation check was found in the signals implementation. A local, unprivileged user could use this flaw to send signals via the sigqueueinfo system call, with the si_code set to SI_TKILL and with spoofed process and user IDs, to other processes. Note: This flaw does not allow existing permission checks to be bypassed; signals can only be sent if your privileges allow you to already do so. (CVE-2011-1182, Low)\n\n - A heap overflow flaw in the EFI GUID Partition Table (GPT) implementation could allow a local attacker to cause a denial of service by mounting a disk containing specially crafted partition tables. (CVE-2011-1776, Low)\n\n - Structure padding in two structures in the Bluetooth implementation was not initialized properly before being copied to user-space, possibly allowing local, unprivileged users to leak kernel stack memory to user-space. (CVE-2011-2492, Low)\n\nThis update fixes several bugs.\n\nThe system must be rebooted for this update to take effect.", "cvss3": {"exploitabilityScore": 0.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2012-08-01T00:00:00", "type": "nessus", "title": "Scientific Linux Security Update : kernel on SL5.x i386/x86_64", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4649", "CVE-2011-0695", "CVE-2011-0711", "CVE-2011-1044", "CVE-2011-1182", "CVE-2011-1573", "CVE-2011-1576", "CVE-2011-1593", "CVE-2011-1745", "CVE-2011-1746", "CVE-2011-1776", "CVE-2011-1936", "CVE-2011-2022", "CVE-2011-2213", "CVE-2011-2492"], "modified": "2021-01-14T00:00:00", "cpe": ["x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20110715_KERNEL_ON_SL5_X.NASL", "href": "https://www.tenable.com/plugins/nessus/61083", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(61083);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2010-4649\", \"CVE-2011-0695\", \"CVE-2011-0711\", \"CVE-2011-1182\", \"CVE-2011-1573\", \"CVE-2011-1576\", \"CVE-2011-1593\", \"CVE-2011-1745\", \"CVE-2011-1746\", \"CVE-2011-1776\", \"CVE-2011-1936\", \"CVE-2011-2213\", \"CVE-2011-2492\");\n\n script_name(english:\"Scientific Linux Security Update : kernel on SL5.x i386/x86_64\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nThis update fixes the following security issues :\n\n - An integer overflow flaw in ib_uverbs_poll_cq() could\n allow a local, unprivileged user to cause a denial of\n service or escalate their privileges. (CVE-2010-4649,\n Important)\n\n - A race condition in the way new InfiniBand connections\n were set up could allow a remote user to cause a denial\n of service. (CVE-2011-0695, Important)\n\n - A flaw in the Stream Control Transmission Protocol\n (SCTP) implementation could allow a remote attacker to\n cause a denial of service if the sysctl\n 'net.sctp.addip_enable' variable was turned on (it is\n off by default). (CVE-2011-1573, Important)\n\n - Flaws in the AGPGART driver implementation when handling\n certain IOCTL commands could allow a local, unprivileged\n user to cause a denial of service or escalate their\n privileges. (CVE-2011-1745, CVE-2011-2022, Important)\n\n - An integer overflow flaw in agp_allocate_memory() could\n allow a local, unprivileged user to cause a denial of\n service or escalate their privileges. (CVE-2011-1746,\n Important)\n\n - A flaw allowed napi_reuse_skb() to be called on VLAN\n (virtual LAN) packets. An attacker on the local network\n could trigger this flaw by sending specially crafted\n packets to a target system, possibly causing a denial of\n service. (CVE-2011-1576, Moderate)\n\n - An integer signedness error in next_pidmap() could allow\n a local, unprivileged user to cause a denial of service.\n (CVE-2011-1593, Moderate)\n\n - A flaw in the way the Xen hypervisor implementation\n handled CPUID instruction emulation during virtual\n machine exits could allow an unprivileged guest user to\n crash a guest. This only affects systems that have an\n Intel x86 processor with the Intel VT-x extension\n enabled. (CVE-2011-1936, Moderate)\n\n - A flaw in inet_diag_bc_audit() could allow a local,\n unprivileged user to cause a denial of service (infinite\n loop). (CVE-2011-2213, Moderate)\n\n - A missing initialization flaw in the XFS file system\n implementation could lead to an information leak.\n (CVE-2011-0711, Low)\n\n - A flaw in ib_uverbs_poll_cq() could allow a local,\n unprivileged user to cause an information leak.\n (CVE-2011-1044, Low)\n\n - A missing validation check was found in the signals\n implementation. A local, unprivileged user could use\n this flaw to send signals via the sigqueueinfo system\n call, with the si_code set to SI_TKILL and with spoofed\n process and user IDs, to other processes. Note: This\n flaw does not allow existing permission checks to be\n bypassed; signals can only be sent if your privileges\n allow you to already do so. (CVE-2011-1182, Low)\n\n - A heap overflow flaw in the EFI GUID Partition Table\n (GPT) implementation could allow a local attacker to\n cause a denial of service by mounting a disk containing\n specially crafted partition tables. (CVE-2011-1776, Low)\n\n - Structure padding in two structures in the Bluetooth\n implementation was not initialized properly before being\n copied to user-space, possibly allowing local,\n unprivileged users to leak kernel stack memory to\n user-space. (CVE-2011-2492, Low)\n\nThis update fixes several bugs.\n\nThe system must be rebooted for this update to take effect.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1107&L=scientific-linux-errata&T=0&P=1940\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e210468e\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/02/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/07/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/08/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL5\", reference:\"kernel-2.6.18-238.19.1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", cpu:\"i386\", reference:\"kernel-PAE-2.6.18-238.19.1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", cpu:\"i386\", reference:\"kernel-PAE-devel-2.6.18-238.19.1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"kernel-debug-2.6.18-238.19.1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"kernel-debug-devel-2.6.18-238.19.1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"kernel-devel-2.6.18-238.19.1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"kernel-doc-2.6.18-238.19.1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"kernel-headers-2.6.18-238.19.1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"kernel-xen-2.6.18-238.19.1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"kernel-xen-devel-2.6.18-238.19.1.el5\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:34:18", "description": "Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nThis update fixes the following security issues :\n\n* An integer overflow flaw in ib_uverbs_poll_cq() could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2010-4649, Important)\n\n* A race condition in the way new InfiniBand connections were set up could allow a remote user to cause a denial of service.\n(CVE-2011-0695, Important)\n\n* A flaw in the Stream Control Transmission Protocol (SCTP) implementation could allow a remote attacker to cause a denial of service if the sysctl 'net.sctp.addip_enable' variable was turned on (it is off by default). (CVE-2011-1573, Important)\n\n* Flaws in the AGPGART driver implementation when handling certain IOCTL commands could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2011-1745, CVE-2011-2022, Important)\n\n* An integer overflow flaw in agp_allocate_memory() could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2011-1746, Important)\n\n* A flaw allowed napi_reuse_skb() to be called on VLAN (virtual LAN) packets. An attacker on the local network could trigger this flaw by sending specially crafted packets to a target system, possibly causing a denial of service. (CVE-2011-1576, Moderate)\n\n* An integer signedness error in next_pidmap() could allow a local, unprivileged user to cause a denial of service. (CVE-2011-1593, Moderate)\n\n* A flaw in the way the Xen hypervisor implementation handled CPUID instruction emulation during virtual machine exits could allow an unprivileged guest user to crash a guest. This only affects systems that have an Intel x86 processor with the Intel VT-x extension enabled. (CVE-2011-1936, Moderate)\n\n* A flaw in inet_diag_bc_audit() could allow a local, unprivileged user to cause a denial of service (infinite loop). (CVE-2011-2213, Moderate)\n\n* A missing initialization flaw in the XFS file system implementation could lead to an information leak. (CVE-2011-0711, Low)\n\n* A flaw in ib_uverbs_poll_cq() could allow a local, unprivileged user to cause an information leak. (CVE-2011-1044, Low)\n\n* A missing validation check was found in the signals implementation.\nA local, unprivileged user could use this flaw to send signals via the sigqueueinfo system call, with the si_code set to SI_TKILL and with spoofed process and user IDs, to other processes. Note: This flaw does not allow existing permission checks to be bypassed; signals can only be sent if your privileges allow you to already do so. (CVE-2011-1182, Low)\n\n* A heap overflow flaw in the EFI GUID Partition Table (GPT) implementation could allow a local attacker to cause a denial of service by mounting a disk containing specially crafted partition tables. (CVE-2011-1776, Low)\n\n* Structure padding in two structures in the Bluetooth implementation was not initialized properly before being copied to user-space, possibly allowing local, unprivileged users to leak kernel stack memory to user-space. (CVE-2011-2492, Low)\n\nRed Hat would like to thank Jens Kuehnel for reporting CVE-2011-0695;\nVasiliy Kulikov for reporting CVE-2011-1745, CVE-2011-2022, and CVE-2011-1746; Ryan Sweat for reporting CVE-2011-1576; Robert Swiecki for reporting CVE-2011-1593; Dan Rosenberg for reporting CVE-2011-2213 and CVE-2011-0711; Julien Tinnes of the Google Security Team for reporting CVE-2011-1182; Timo Warns for reporting CVE-2011-1776; and Marek Kroemeke and Filip Palian for reporting CVE-2011-2492.\n\nBug fix documentation will be available shortly from the Technical Notes document linked to in the References.\n\nUsers should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect.", "cvss3": {"exploitabilityScore": 0.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2011-07-15T00:00:00", "type": "nessus", "title": "RHEL 5 : kernel (RHSA-2011:0927)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4649", "CVE-2011-0695", "CVE-2011-0711", "CVE-2011-1044", "CVE-2011-1182", "CVE-2011-1573", "CVE-2011-1576", "CVE-2011-1593", "CVE-2011-1745", "CVE-2011-1746", "CVE-2011-1776", "CVE-2011-1936", "CVE-2011-2022", "CVE-2011-2213", "CVE-2011-2492"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:kernel", "p-cpe:/a:redhat:enterprise_linux:kernel-PAE", "p-cpe:/a:redhat:enterprise_linux:kernel-PAE-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-debug", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-doc", "p-cpe:/a:redhat:enterprise_linux:kernel-headers", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-xen", "p-cpe:/a:redhat:enterprise_linux:kernel-xen-devel", "cpe:/o:redhat:enterprise_linux:5", "cpe:/o:redhat:enterprise_linux:5.6"], "id": "REDHAT-RHSA-2011-0927.NASL", "href": "https://www.tenable.com/plugins/nessus/55597", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2011:0927. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(55597);\n script_version(\"1.28\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2010-4649\", \"CVE-2011-0695\", \"CVE-2011-0711\", \"CVE-2011-1044\", \"CVE-2011-1182\", \"CVE-2011-1573\", \"CVE-2011-1576\", \"CVE-2011-1593\", \"CVE-2011-1745\", \"CVE-2011-1746\", \"CVE-2011-1776\", \"CVE-2011-1936\", \"CVE-2011-2022\", \"CVE-2011-2213\", \"CVE-2011-2492\");\n script_bugtraq_id(46073, 46417, 46488, 46839, 47003, 47308, 47497, 47534, 47535, 47796, 47843, 48333, 48441, 48610);\n script_xref(name:\"RHSA\", value:\"2011:0927\");\n\n script_name(english:\"RHEL 5 : kernel (RHSA-2011:0927)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated kernel packages that fix multiple security issues and several\nbugs are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nThis update fixes the following security issues :\n\n* An integer overflow flaw in ib_uverbs_poll_cq() could allow a local,\nunprivileged user to cause a denial of service or escalate their\nprivileges. (CVE-2010-4649, Important)\n\n* A race condition in the way new InfiniBand connections were set up\ncould allow a remote user to cause a denial of service.\n(CVE-2011-0695, Important)\n\n* A flaw in the Stream Control Transmission Protocol (SCTP)\nimplementation could allow a remote attacker to cause a denial of\nservice if the sysctl 'net.sctp.addip_enable' variable was turned on\n(it is off by default). (CVE-2011-1573, Important)\n\n* Flaws in the AGPGART driver implementation when handling certain\nIOCTL commands could allow a local, unprivileged user to cause a\ndenial of service or escalate their privileges. (CVE-2011-1745,\nCVE-2011-2022, Important)\n\n* An integer overflow flaw in agp_allocate_memory() could allow a\nlocal, unprivileged user to cause a denial of service or escalate\ntheir privileges. (CVE-2011-1746, Important)\n\n* A flaw allowed napi_reuse_skb() to be called on VLAN (virtual LAN)\npackets. An attacker on the local network could trigger this flaw by\nsending specially crafted packets to a target system, possibly causing\na denial of service. (CVE-2011-1576, Moderate)\n\n* An integer signedness error in next_pidmap() could allow a local,\nunprivileged user to cause a denial of service. (CVE-2011-1593,\nModerate)\n\n* A flaw in the way the Xen hypervisor implementation handled CPUID\ninstruction emulation during virtual machine exits could allow an\nunprivileged guest user to crash a guest. This only affects systems\nthat have an Intel x86 processor with the Intel VT-x extension\nenabled. (CVE-2011-1936, Moderate)\n\n* A flaw in inet_diag_bc_audit() could allow a local, unprivileged\nuser to cause a denial of service (infinite loop). (CVE-2011-2213,\nModerate)\n\n* A missing initialization flaw in the XFS file system implementation\ncould lead to an information leak. (CVE-2011-0711, Low)\n\n* A flaw in ib_uverbs_poll_cq() could allow a local, unprivileged user\nto cause an information leak. (CVE-2011-1044, Low)\n\n* A missing validation check was found in the signals implementation.\nA local, unprivileged user could use this flaw to send signals via the\nsigqueueinfo system call, with the si_code set to SI_TKILL and with\nspoofed process and user IDs, to other processes. Note: This flaw does\nnot allow existing permission checks to be bypassed; signals can only\nbe sent if your privileges allow you to already do so. (CVE-2011-1182,\nLow)\n\n* A heap overflow flaw in the EFI GUID Partition Table (GPT)\nimplementation could allow a local attacker to cause a denial of\nservice by mounting a disk containing specially crafted partition\ntables. (CVE-2011-1776, Low)\n\n* Structure padding in two structures in the Bluetooth implementation\nwas not initialized properly before being copied to user-space,\npossibly allowing local, unprivileged users to leak kernel stack\nmemory to user-space. (CVE-2011-2492, Low)\n\nRed Hat would like to thank Jens Kuehnel for reporting CVE-2011-0695;\nVasiliy Kulikov for reporting CVE-2011-1745, CVE-2011-2022, and\nCVE-2011-1746; Ryan Sweat for reporting CVE-2011-1576; Robert Swiecki\nfor reporting CVE-2011-1593; Dan Rosenberg for reporting CVE-2011-2213\nand CVE-2011-0711; Julien Tinnes of the Google Security Team for\nreporting CVE-2011-1182; Timo Warns for reporting CVE-2011-1776; and\nMarek Kroemeke and Filip Palian for reporting CVE-2011-2492.\n\nBug fix documentation will be available shortly from the Technical\nNotes document linked to in the References.\n\nUsers should upgrade to these updated packages, which contain\nbackported patches to correct these issues, and fix the bugs noted in\nthe Technical Notes. The system must be rebooted for this update to\ntake effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-4649\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-0695\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-0711\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-1044\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-1182\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-1573\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-1576\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-1593\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-1745\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-1746\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-1776\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-1936\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-2022\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-2213\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-2492\"\n );\n # https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?056c0c27\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2011:0927\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-PAE\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-PAE-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/02/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/07/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/07/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2010-4649\", \"CVE-2011-0695\", \"CVE-2011-0711\", \"CVE-2011-1044\", \"CVE-2011-1182\", \"CVE-2011-1573\", \"CVE-2011-1576\", \"CVE-2011-1593\", \"CVE-2011-1745\", \"CVE-2011-1746\", \"CVE-2011-1776\", \"CVE-2011-1936\", \"CVE-2011-2022\", \"CVE-2011-2213\", \"CVE-2011-2492\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for RHSA-2011:0927\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2011:0927\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", cpu:\"i686\", reference:\"kernel-2.6.18-238.19.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"kernel-2.6.18-238.19.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"kernel-2.6.18-238.19.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i686\", reference:\"kernel-PAE-2.6.18-238.19.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i686\", reference:\"kernel-PAE-devel-2.6.18-238.19.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i686\", reference:\"kernel-debug-2.6.18-238.19.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"kernel-debug-2.6.18-238.19.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"kernel-debug-2.6.18-238.19.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i686\", reference:\"kernel-debug-devel-2.6.18-238.19.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"kernel-debug-devel-2.6.18-238.19.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"kernel-debug-devel-2.6.18-238.19.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i686\", reference:\"kernel-devel-2.6.18-238.19.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"kernel-devel-2.6.18-238.19.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"kernel-devel-2.6.18-238.19.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", reference:\"kernel-doc-2.6.18-238.19.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"kernel-headers-2.6.18-238.19.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"kernel-headers-2.6.18-238.19.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"kernel-headers-2.6.18-238.19.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"kernel-kdump-2.6.18-238.19.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"kernel-kdump-devel-2.6.18-238.19.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i686\", reference:\"kernel-xen-2.6.18-238.19.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"kernel-xen-2.6.18-238.19.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i686\", reference:\"kernel-xen-devel-2.6.18-238.19.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"kernel-xen-devel-2.6.18-238.19.1.el5\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-PAE / kernel-PAE-devel / kernel-debug / etc\");\n }\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:34:21", "description": "Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nThis update fixes the following security issues :\n\n* An integer overflow flaw in ib_uverbs_poll_cq() could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2010-4649, Important)\n\n* A race condition in the way new InfiniBand connections were set up could allow a remote user to cause a denial of service.\n(CVE-2011-0695, Important)\n\n* A flaw in the Stream Control Transmission Protocol (SCTP) implementation could allow a remote attacker to cause a denial of service if the sysctl 'net.sctp.addip_enable' variable was turned on (it is off by default). (CVE-2011-1573, Important)\n\n* Flaws in the AGPGART driver implementation when handling certain IOCTL commands could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2011-1745, CVE-2011-2022, Important)\n\n* An integer overflow flaw in agp_allocate_memory() could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2011-1746, Important)\n\n* A flaw allowed napi_reuse_skb() to be called on VLAN (virtual LAN) packets. An attacker on the local network could trigger this flaw by sending specially crafted packets to a target system, possibly causing a denial of service. (CVE-2011-1576, Moderate)\n\n* An integer signedness error in next_pidmap() could allow a local, unprivileged user to cause a denial of service. (CVE-2011-1593, Moderate)\n\n* A flaw in the way the Xen hypervisor implementation handled CPUID instruction emulation during virtual machine exits could allow an unprivileged guest user to crash a guest. This only affects systems that have an Intel x86 processor with the Intel VT-x extension enabled. (CVE-2011-1936, Moderate)\n\n* A flaw in inet_diag_bc_audit() could allow a local, unprivileged user to cause a denial of service (infinite loop). (CVE-2011-2213, Moderate)\n\n* A missing initialization flaw in the XFS file system implementation could lead to an information leak. (CVE-2011-0711, Low)\n\n* A flaw in ib_uverbs_poll_cq() could allow a local, unprivileged user to cause an information leak. (CVE-2011-1044, Low)\n\n* A missing validation check was found in the signals implementation.\nA local, unprivileged user could use this flaw to send signals via the sigqueueinfo system call, with the si_code set to SI_TKILL and with spoofed process and user IDs, to other processes. Note: This flaw does not allow existing permission checks to be bypassed; signals can only be sent if your privileges allow you to already do so. (CVE-2011-1182, Low)\n\n* A heap overflow flaw in the EFI GUID Partition Table (GPT) implementation could allow a local attacker to cause a denial of service by mounting a disk containing specially crafted partition tables. (CVE-2011-1776, Low)\n\n* Structure padding in two structures in the Bluetooth implementation was not initialized properly before being copied to user-space, possibly allowing local, unprivileged users to leak kernel stack memory to user-space. (CVE-2011-2492, Low)\n\nRed Hat would like to thank Jens Kuehnel for reporting CVE-2011-0695;\nVasiliy Kulikov for reporting CVE-2011-1745, CVE-2011-2022, and CVE-2011-1746; Ryan Sweat for reporting CVE-2011-1576; Robert Swiecki for reporting CVE-2011-1593; Dan Rosenberg for reporting CVE-2011-2213 and CVE-2011-0711; Julien Tinnes of the Google Security Team for reporting CVE-2011-1182; Timo Warns for reporting CVE-2011-1776; and Marek Kroemeke and Filip Palian for reporting CVE-2011-2492.\n\nBug fix documentation will be available shortly from the Technical Notes document linked to in the References.\n\nUsers should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect.", "cvss3": {"exploitabilityScore": 0.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2011-07-19T00:00:00", "type": "nessus", "title": "CentOS 5 : kernel (CESA-2011:0927)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4649", "CVE-2011-0695", "CVE-2011-0711", "CVE-2011-1044", "CVE-2011-1182", "CVE-2011-1573", "CVE-2011-1576", "CVE-2011-1593", "CVE-2011-1745", "CVE-2011-1746", "CVE-2011-1776", "CVE-2011-1936", "CVE-2011-2022", "CVE-2011-2213", "CVE-2011-2492"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:centos:centos:kernel", "p-cpe:/a:centos:centos:kernel-PAE", "p-cpe:/a:centos:centos:kernel-PAE-devel", "p-cpe:/a:centos:centos:kernel-debug", "p-cpe:/a:centos:centos:kernel-debug-devel", "p-cpe:/a:centos:centos:kernel-devel", "p-cpe:/a:centos:centos:kernel-doc", "p-cpe:/a:centos:centos:kernel-headers", "p-cpe:/a:centos:centos:kernel-xen", "p-cpe:/a:centos:centos:kernel-xen-devel", "cpe:/o:centos:centos:5"], "id": "CENTOS_RHSA-2011-0927.NASL", "href": "https://www.tenable.com/plugins/nessus/55609", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2011:0927 and \n# CentOS Errata and Security Advisory 2011:0927 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(55609);\n script_version(\"1.21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2010-4649\", \"CVE-2011-0695\", \"CVE-2011-0711\", \"CVE-2011-1044\", \"CVE-2011-1182\", \"CVE-2011-1573\", \"CVE-2011-1576\", \"CVE-2011-1593\", \"CVE-2011-1745\", \"CVE-2011-1746\", \"CVE-2011-1776\", \"CVE-2011-1936\", \"CVE-2011-2022\", \"CVE-2011-2213\", \"CVE-2011-2492\");\n script_bugtraq_id(46073, 46417, 46488, 46839, 47003, 47308, 47497, 47534, 47535, 47796, 47843, 48333, 48441, 48610);\n script_xref(name:\"RHSA\", value:\"2011:0927\");\n\n script_name(english:\"CentOS 5 : kernel (CESA-2011:0927)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated kernel packages that fix multiple security issues and several\nbugs are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nThis update fixes the following security issues :\n\n* An integer overflow flaw in ib_uverbs_poll_cq() could allow a local,\nunprivileged user to cause a denial of service or escalate their\nprivileges. (CVE-2010-4649, Important)\n\n* A race condition in the way new InfiniBand connections were set up\ncould allow a remote user to cause a denial of service.\n(CVE-2011-0695, Important)\n\n* A flaw in the Stream Control Transmission Protocol (SCTP)\nimplementation could allow a remote attacker to cause a denial of\nservice if the sysctl 'net.sctp.addip_enable' variable was turned on\n(it is off by default). (CVE-2011-1573, Important)\n\n* Flaws in the AGPGART driver implementation when handling certain\nIOCTL commands could allow a local, unprivileged user to cause a\ndenial of service or escalate their privileges. (CVE-2011-1745,\nCVE-2011-2022, Important)\n\n* An integer overflow flaw in agp_allocate_memory() could allow a\nlocal, unprivileged user to cause a denial of service or escalate\ntheir privileges. (CVE-2011-1746, Important)\n\n* A flaw allowed napi_reuse_skb() to be called on VLAN (virtual LAN)\npackets. An attacker on the local network could trigger this flaw by\nsending specially crafted packets to a target system, possibly causing\na denial of service. (CVE-2011-1576, Moderate)\n\n* An integer signedness error in next_pidmap() could allow a local,\nunprivileged user to cause a denial of service. (CVE-2011-1593,\nModerate)\n\n* A flaw in the way the Xen hypervisor implementation handled CPUID\ninstruction emulation during virtual machine exits could allow an\nunprivileged guest user to crash a guest. This only affects systems\nthat have an Intel x86 processor with the Intel VT-x extension\nenabled. (CVE-2011-1936, Moderate)\n\n* A flaw in inet_diag_bc_audit() could allow a local, unprivileged\nuser to cause a denial of service (infinite loop). (CVE-2011-2213,\nModerate)\n\n* A missing initialization flaw in the XFS file system implementation\ncould lead to an information leak. (CVE-2011-0711, Low)\n\n* A flaw in ib_uverbs_poll_cq() could allow a local, unprivileged user\nto cause an information leak. (CVE-2011-1044, Low)\n\n* A missing validation check was found in the signals implementation.\nA local, unprivileged user could use this flaw to send signals via the\nsigqueueinfo system call, with the si_code set to SI_TKILL and with\nspoofed process and user IDs, to other processes. Note: This flaw does\nnot allow existing permission checks to be bypassed; signals can only\nbe sent if your privileges allow you to already do so. (CVE-2011-1182,\nLow)\n\n* A heap overflow flaw in the EFI GUID Partition Table (GPT)\nimplementation could allow a local attacker to cause a denial of\nservice by mounting a disk containing specially crafted partition\ntables. (CVE-2011-1776, Low)\n\n* Structure padding in two structures in the Bluetooth implementation\nwas not initialized properly before being copied to user-space,\npossibly allowing local, unprivileged users to leak kernel stack\nmemory to user-space. (CVE-2011-2492, Low)\n\nRed Hat would like to thank Jens Kuehnel for reporting CVE-2011-0695;\nVasiliy Kulikov for reporting CVE-2011-1745, CVE-2011-2022, and\nCVE-2011-1746; Ryan Sweat for reporting CVE-2011-1576; Robert Swiecki\nfor reporting CVE-2011-1593; Dan Rosenberg for reporting CVE-2011-2213\nand CVE-2011-0711; Julien Tinnes of the Google Security Team for\nreporting CVE-2011-1182; Timo Warns for reporting CVE-2011-1776; and\nMarek Kroemeke and Filip Palian for reporting CVE-2011-2492.\n\nBug fix documentation will be available shortly from the Technical\nNotes document linked to in the References.\n\nUsers should upgrade to these updated packages, which contain\nbackported patches to correct these issues, and fix the bugs noted in\nthe Technical Notes. The system must be rebooted for this update to\ntake effect.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2011-July/017646.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8d65c9da\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2011-July/017647.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2d98f161\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-PAE\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-PAE-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/02/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/07/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/07/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 5.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-5\", reference:\"kernel-2.6.18-238.19.1.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", cpu:\"i386\", reference:\"kernel-PAE-2.6.18-238.19.1.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", cpu:\"i386\", reference:\"kernel-PAE-devel-2.6.18-238.19.1.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"kernel-debug-2.6.18-238.19.1.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"kernel-debug-devel-2.6.18-238.19.1.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"kernel-devel-2.6.18-238.19.1.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"kernel-doc-2.6.18-238.19.1.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"kernel-headers-2.6.18-238.19.1.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"kernel-xen-2.6.18-238.19.1.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"kernel-xen-devel-2.6.18-238.19.1.el5\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-PAE / kernel-PAE-devel / kernel-debug / etc\");\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:27:22", "description": "The SUSE Linux Enterprise 11 Service Pack 1 kernel was updated to 2.6.32.36 and fixes various bugs and security issues.\n\nThe following security issues were fixed :\n\n - When parsing the FAC_NATIONAL_DIGIS facilities field, it was possible for a remote host to provide more digipeaters than expected, resulting in heap corruption.\n (CVE-2011-1493)\n\n - (no CVEs assigned yet): In the rose networking stack, when parsing the FAC_CCITT_DEST_NSAP and FAC_CCITT_SRC_NSAP facilities fields, a remote host could provide a length of less than 10, resulting in an underflow in a memcpy size, causing a kernel panic due to massive heap corruption. A length of greater than 20 results in a stack overflow of the callsign array\n\n - The code for evaluating OSF partitions (in fs/partitions/osf.c) contained a bug that leaks data from kernel heap memory to userspace for certain corrupted OSF partitions. (CVE-2011-1163)\n\n - A bug in the order of dccp_rcv_state_process() was fixed that still permitted reception even after closing the socket. A Reset after close thus causes a NULL pointer dereference by not preventing operations on an already torn-down socket. (CVE-2011-1093)\n\n - A signedness issue in drm_modeset_ctl() could be used by local attackers with access to the drm devices to potentially crash the kernel or escalate privileges.\n (CVE-2011-1013)\n\n - The epoll subsystem in Linux did not prevent users from creating circular epoll file structures, potentially leading to a denial of service (kernel deadlock).\n (CVE-2011-1082)\n\n - Multiple buffer overflows in the caiaq Native Instruments USB audio functionality in the Linux kernel might have allowed attackers to cause a denial of service or possibly have unspecified other impact via a long USB device name, related to (1) the snd_usb_caiaq_audio_init function in sound/usb/caiaq/audio.c and (2) the snd_usb_caiaq_midi_init function in sound/usb/caiaq/midi.c. (CVE-2011-0712)\n\n - Local attackers could send signals to their programs that looked like coming from the kernel, potentially gaining privileges in the context of setuid programs.\n (CVE-2011-1182)\n\n - An issue in the core GRO code where an skb belonging to an unknown VLAN is reused could result in a NULL pointer dereference. (CVE-2011-1478)\n\n - Specially crafted requests may be written to /dev/sequencer resulting in an underflow when calculating a size for a copy_from_user() operation in the driver for MIDI interfaces. On x86, this just returns an error, but it could have caused memory corruption on other architectures. Other malformed requests could have resulted in the use of uninitialized variables. (CVE-2011-1476)\n\n - Due to a failure to validate user-supplied indexes in the driver for Yamaha YM3812 and OPL-3 chips, a specially crafted ioctl request could have been sent to /dev/sequencer, resulting in reading and writing beyond the bounds of heap buffers, and potentially allowing privilege escalation. (CVE-2011-1477)\n\n - A information leak in the XFS geometry calls could be used by local attackers to gain access to kernel information. (CVE-2011-0191)\n\n - A page allocator issue in NFS v4 ACL handling that could lead to a denial of service (crash) was fixed.\n (CVE-2011-1090)\n\n - net/ipv4/inet_diag.c in the Linux kernel did not properly audit INET_DIAG bytecode, which allowed local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message that contains multiple attribute elements, as demonstrated by INET_DIAG_BC_JMP instructions. (CVE-2010-3880)\n\n - Fixed a buffer size issue in 'usb iowarrior' module, where a malicious device could overflow a kernel buffer.\n (CVE-2010-4656)\n\n - The dvb_ca_ioctl function in drivers/media/dvb/ttpci/av7110_ca.c in the Linux kernel did not check the sign of a certain integer field, which allowed local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a negative value. (CVE-2011-0521)\n\n - In the IrDA module, length fields provided by a peer for names and attributes may be longer than the destination array sizes and were not checked, this allowed local attackers (close to the irda port) to potentially corrupt memory. (CVE-2011-1180)\n\n - A system out of memory condition (denial of service) could be triggered with a large socket backlog, exploitable by local users. This has been addressed by backlog limiting. (CVE-2010-4251)\n\n - The Radeon GPU drivers in the Linux kernel did not properly validate data related to the AA resolve registers, which allowed local users to write to arbitrary memory locations associated with (1) Video RAM (aka VRAM) or (2) the Graphics Translation Table (GTT) via crafted values. (CVE-2011-1016)\n\n - Boundschecking was missing in AARESOLVE_OFFSET, which allowed local attackers to overwrite kernel memory and so escalate privileges or crash the kernel.\n (CVE-2011-1573)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2011-04-28T00:00:00", "type": "nessus", "title": "SuSE 11.1 Security Update : Linux kernel (SAT Patch Number 4376)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3880", "CVE-2010-4251", "CVE-2010-4656", "CVE-2011-0191", "CVE-2011-0521", "CVE-2011-0712", "CVE-2011-1013", "CVE-2011-1016", "CVE-2011-1082", "CVE-2011-1090", "CVE-2011-1093", "CVE-2011-1163", "CVE-2011-1180", "CVE-2011-1182", "CVE-2011-1476", "CVE-2011-1477", "CVE-2011-1478", "CVE-2011-1493", "CVE-2011-1573"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:11:btrfs-kmp-default", "p-cpe:/a:novell:suse_linux:11:btrfs-kmp-xen", "p-cpe:/a:novell:suse_linux:11:ext4dev-kmp-default", "p-cpe:/a:novell:suse_linux:11:ext4dev-kmp-xen", "p-cpe:/a:novell:suse_linux:11:hyper-v-kmp-default", "p-cpe:/a:novell:suse_linux:11:kernel-default", "p-cpe:/a:novell:suse_linux:11:kernel-default-base", "p-cpe:/a:novell:suse_linux:11:kernel-default-devel", "p-cpe:/a:novell:suse_linux:11:kernel-default-extra", "p-cpe:/a:novell:suse_linux:11:kernel-desktop-devel", "p-cpe:/a:novell:suse_linux:11:kernel-ec2", "p-cpe:/a:novell:suse_linux:11:kernel-ec2-base", "p-cpe:/a:novell:suse_linux:11:kernel-source", "p-cpe:/a:novell:suse_linux:11:kernel-syms", "p-cpe:/a:novell:suse_linux:11:kernel-trace", "p-cpe:/a:novell:suse_linux:11:kernel-trace-base", "p-cpe:/a:novell:suse_linux:11:kernel-trace-devel", "p-cpe:/a:novell:suse_linux:11:kernel-xen", "p-cpe:/a:novell:suse_linux:11:kernel-xen-base", "p-cpe:/a:novell:suse_linux:11:kernel-xen-devel", "p-cpe:/a:novell:suse_linux:11:kernel-xen-extra", "cpe:/o:novell:suse_linux:11"], "id": "SUSE_11_KERNEL-110415.NASL", "href": "https://www.tenable.com/plugins/nessus/53571", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(53571);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2010-3880\", \"CVE-2010-4251\", \"CVE-2010-4656\", \"CVE-2011-0191\", \"CVE-2011-0521\", \"CVE-2011-0712\", \"CVE-2011-1013\", \"CVE-2011-1016\", \"CVE-2011-1082\", \"CVE-2011-1090\", \"CVE-2011-1093\", \"CVE-2011-1163\", \"CVE-2011-1180\", \"CVE-2011-1182\", \"CVE-2011-1476\", \"CVE-2011-1477\", \"CVE-2011-1478\", \"CVE-2011-1493\", \"CVE-2011-1573\");\n\n script_name(english:\"SuSE 11.1 Security Update : Linux kernel (SAT Patch Number 4376)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The SUSE Linux Enterprise 11 Service Pack 1 kernel was updated to\n2.6.32.36 and fixes various bugs and security issues.\n\nThe following security issues were fixed :\n\n - When parsing the FAC_NATIONAL_DIGIS facilities field, it\n was possible for a remote host to provide more\n digipeaters than expected, resulting in heap corruption.\n (CVE-2011-1493)\n\n - (no CVEs assigned yet): In the rose networking stack,\n when parsing the FAC_CCITT_DEST_NSAP and\n FAC_CCITT_SRC_NSAP facilities fields, a remote host\n could provide a length of less than 10, resulting in an\n underflow in a memcpy size, causing a kernel panic due\n to massive heap corruption. A length of greater than 20\n results in a stack overflow of the callsign array\n\n - The code for evaluating OSF partitions (in\n fs/partitions/osf.c) contained a bug that leaks data\n from kernel heap memory to userspace for certain\n corrupted OSF partitions. (CVE-2011-1163)\n\n - A bug in the order of dccp_rcv_state_process() was fixed\n that still permitted reception even after closing the\n socket. A Reset after close thus causes a NULL pointer\n dereference by not preventing operations on an already\n torn-down socket. (CVE-2011-1093)\n\n - A signedness issue in drm_modeset_ctl() could be used by\n local attackers with access to the drm devices to\n potentially crash the kernel or escalate privileges.\n (CVE-2011-1013)\n\n - The epoll subsystem in Linux did not prevent users from\n creating circular epoll file structures, potentially\n leading to a denial of service (kernel deadlock).\n (CVE-2011-1082)\n\n - Multiple buffer overflows in the caiaq Native\n Instruments USB audio functionality in the Linux kernel\n might have allowed attackers to cause a denial of\n service or possibly have unspecified other impact via a\n long USB device name, related to (1) the\n snd_usb_caiaq_audio_init function in\n sound/usb/caiaq/audio.c and (2) the\n snd_usb_caiaq_midi_init function in\n sound/usb/caiaq/midi.c. (CVE-2011-0712)\n\n - Local attackers could send signals to their programs\n that looked like coming from the kernel, potentially\n gaining privileges in the context of setuid programs.\n (CVE-2011-1182)\n\n - An issue in the core GRO code where an skb belonging to\n an unknown VLAN is reused could result in a NULL pointer\n dereference. (CVE-2011-1478)\n\n - Specially crafted requests may be written to\n /dev/sequencer resulting in an underflow when\n calculating a size for a copy_from_user() operation in\n the driver for MIDI interfaces. On x86, this just\n returns an error, but it could have caused memory\n corruption on other architectures. Other malformed\n requests could have resulted in the use of uninitialized\n variables. (CVE-2011-1476)\n\n - Due to a failure to validate user-supplied indexes in\n the driver for Yamaha YM3812 and OPL-3 chips, a\n specially crafted ioctl request could have been sent to\n /dev/sequencer, resulting in reading and writing beyond\n the bounds of heap buffers, and potentially allowing\n privilege escalation. (CVE-2011-1477)\n\n - A information leak in the XFS geometry calls could be\n used by local attackers to gain access to kernel\n information. (CVE-2011-0191)\n\n - A page allocator issue in NFS v4 ACL handling that could\n lead to a denial of service (crash) was fixed.\n (CVE-2011-1090)\n\n - net/ipv4/inet_diag.c in the Linux kernel did not\n properly audit INET_DIAG bytecode, which allowed local\n users to cause a denial of service (kernel infinite\n loop) via crafted INET_DIAG_REQ_BYTECODE instructions in\n a netlink message that contains multiple attribute\n elements, as demonstrated by INET_DIAG_BC_JMP\n instructions. (CVE-2010-3880)\n\n - Fixed a buffer size issue in 'usb iowarrior' module,\n where a malicious device could overflow a kernel buffer.\n (CVE-2010-4656)\n\n - The dvb_ca_ioctl function in\n drivers/media/dvb/ttpci/av7110_ca.c in the Linux kernel\n did not check the sign of a certain integer field, which\n allowed local users to cause a denial of service (memory\n corruption) or possibly have unspecified other impact\n via a negative value. (CVE-2011-0521)\n\n - In the IrDA module, length fields provided by a peer for\n names and attributes may be longer than the destination\n array sizes and were not checked, this allowed local\n attackers (close to the irda port) to potentially\n corrupt memory. (CVE-2011-1180)\n\n - A system out of memory condition (denial of service)\n could be triggered with a large socket backlog,\n exploitable by local users. This has been addressed by\n backlog limiting. (CVE-2010-4251)\n\n - The Radeon GPU drivers in the Linux kernel did not\n properly validate data related to the AA resolve\n registers, which allowed local users to write to\n arbitrary memory locations associated with (1) Video RAM\n (aka VRAM) or (2) the Graphics Translation Table (GTT)\n via crafted values. (CVE-2011-1016)\n\n - Boundschecking was missing in AARESOLVE_OFFSET, which\n allowed local attackers to overwrite kernel memory and\n so escalate privileges or crash the kernel.\n (CVE-2011-1573)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=558740\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=566768\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=620929\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=622597\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=622868\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=629170\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=632317\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=637377\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=643266\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=644630\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=649473\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=650545\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=651599\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=654169\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=655973\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=656219\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=656587\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=658413\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=660507\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=663313\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=663513\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=666836\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=666842\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=667766\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=668101\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=668895\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=668896\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=668898\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=669058\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=669571\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=669889\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=670154\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=670615\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=670979\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=671296\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=671943\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=672453\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=672499\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=672505\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=673516\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=673934\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=674549\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=674691\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=674693\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=675115\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=675963\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=676202\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=676419\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=677286\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=677391\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=677398\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=677563\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=677676\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=677783\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=678466\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=679545\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=679588\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=679812\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=680845\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=681175\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=681497\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=681826\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=68199\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=682333\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=682940\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=682941\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=682965\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=683569\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=684085\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=684248\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=686813\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3880.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-4251.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-4656.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-0191.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-0521.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-0712.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-1013.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-1016.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-1082.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-1090.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-1093.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-1163.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-1180.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-1182.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-1476.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-1477.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-1478.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-1493.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-1573.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply SAT patch number 4376.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:btrfs-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:btrfs-kmp-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:ext4dev-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:ext4dev-kmp-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:hyper-v-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-default-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-desktop-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-ec2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-ec2-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-trace\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-trace-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-trace-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-xen-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-xen-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/04/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/04/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\npl = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(pl) || int(pl) != 1) audit(AUDIT_OS_NOT, \"SuSE 11.1\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"x86_64\", reference:\"btrfs-kmp-default-0_2.6.32.36_0.5-0.3.40\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"x86_64\", reference:\"btrfs-kmp-xen-0_2.6.32.36_0.5-0.3.40\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"x86_64\", reference:\"hyper-v-kmp-default-0_2.6.32.36_0.5-0.14.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"x86_64\", reference:\"kernel-default-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"x86_64\", reference:\"kernel-default-base-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"x86_64\", reference:\"kernel-default-devel-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"x86_64\", reference:\"kernel-default-extra-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"x86_64\", reference:\"kernel-desktop-devel-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"x86_64\", reference:\"kernel-source-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"x86_64\", reference:\"kernel-syms-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"x86_64\", reference:\"kernel-xen-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"x86_64\", reference:\"kernel-xen-base-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"x86_64\", reference:\"kernel-xen-devel-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"x86_64\", reference:\"kernel-xen-extra-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"x86_64\", reference:\"btrfs-kmp-default-0_2.6.32.36_0.5-0.3.40\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"x86_64\", reference:\"btrfs-kmp-xen-0_2.6.32.36_0.5-0.3.40\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"x86_64\", reference:\"ext4dev-kmp-default-0_2.6.32.36_0.5-7.9.8\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"x86_64\", reference:\"ext4dev-kmp-xen-0_2.6.32.36_0.5-7.9.8\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"x86_64\", reference:\"hyper-v-kmp-default-0_2.6.32.36_0.5-0.14.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"x86_64\", reference:\"kernel-default-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"x86_64\", reference:\"kernel-default-base-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"x86_64\", reference:\"kernel-default-devel-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"x86_64\", reference:\"kernel-ec2-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"x86_64\", reference:\"kernel-ec2-base-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"x86_64\", reference:\"kernel-source-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"x86_64\", reference:\"kernel-syms-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"x86_64\", reference:\"kernel-trace-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"x86_64\", reference:\"kernel-trace-base-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"x86_64\", reference:\"kernel-trace-devel-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"x86_64\", reference:\"kernel-xen-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"x86_64\", reference:\"kernel-xen-base-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"x86_64\", reference:\"kernel-xen-devel-2.6.32.36-0.5.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:28:07", "description": "The SUSE Linux Enterprise 11 Service Pack 1 kernel was updated to 2.6.32.36 and fixes various bugs and security issues.\n\nThe following security issues were fixed :\n\n - When parsing the FAC_NATIONAL_DIGIS facilities field, it was possible for a remote host to provide more digipeaters than expected, resulting in heap corruption.\n (CVE-2011-1493)\n\n - (no CVEs assigned yet): In the rose networking stack, when parsing the FAC_CCITT_DEST_NSAP and FAC_CCITT_SRC_NSAP facilities fields, a remote host could provide a length of less than 10, resulting in an underflow in a memcpy size, causing a kernel panic due to massive heap corruption. A length of greater than 20 results in a stack overflow of the callsign array\n\n - The code for evaluating OSF partitions (in fs/partitions/osf.c) contained a bug that leaks data from kernel heap memory to userspace for certain corrupted OSF partitions. (CVE-2011-1163)\n\n - A bug in the order of dccp_rcv_state_process() was fixed that still permitted reception even after closing the socket. A Reset after close thus causes a NULL pointer dereference by not preventing operations on an already torn-down socket. (CVE-2011-1093)\n\n - A signedness issue in drm_modeset_ctl() could be used by local attackers with access to the drm devices to potentially crash the kernel or escalate privileges.\n (CVE-2011-1013)\n\n - The epoll subsystem in Linux did not prevent users from creating circular epoll file structures, potentially leading to a denial of service (kernel deadlock).\n (CVE-2011-1082)\n\n - Multiple buffer overflows in the caiaq Native Instruments USB audio functionality in the Linux kernel might have allowed attackers to cause a denial of service or possibly have unspecified other impact via a long USB device name, related to (1) the snd_usb_caiaq_audio_init function in sound/usb/caiaq/audio.c and (2) the snd_usb_caiaq_midi_init function in sound/usb/caiaq/midi.c. (CVE-2011-0712)\n\n - Local attackers could send signals to their programs that looked like coming from the kernel, potentially gaining privileges in the context of setuid programs.\n (CVE-2011-1182)\n\n - An issue in the core GRO code where an skb belonging to an unknown VLAN is reused could result in a NULL pointer dereference. (CVE-2011-1478)\n\n - Specially crafted requests may be written to /dev/sequencer resulting in an underflow when calculating a size for a copy_from_user() operation in the driver for MIDI interfaces. On x86, this just returns an error, but it could have caused memory corruption on other architectures. Other malformed requests could have resulted in the use of uninitialized variables. (CVE-2011-1476)\n\n - Due to a failure to validate user-supplied indexes in the driver for Yamaha YM3812 and OPL-3 chips, a specially crafted ioctl request could have been sent to /dev/sequencer, resulting in reading and writing beyond the bounds of heap buffers, and potentially allowing privilege escalation. (CVE-2011-1477)\n\n - A information leak in the XFS geometry calls could be used by local attackers to gain access to kernel information. (CVE-2011-0191)\n\n - A page allocator issue in NFS v4 ACL handling that could lead to a denial of service (crash) was fixed.\n (CVE-2011-1090)\n\n - net/ipv4/inet_diag.c in the Linux kernel did not properly audit INET_DIAG bytecode, which allowed local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message that contains multiple attribute elements, as demonstrated by INET_DIAG_BC_JMP instructions. (CVE-2010-3880)\n\n - Fixed a buffer size issue in 'usb iowarrior' module, where a malicious device could overflow a kernel buffer.\n (CVE-2010-4656)\n\n - The dvb_ca_ioctl function in drivers/media/dvb/ttpci/av7110_ca.c in the Linux kernel did not check the sign of a certain integer field, which allowed local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a negative value. (CVE-2011-0521)\n\n - In the IrDA module, length fields provided by a peer for names and attributes may be longer than the destination array sizes and were not checked, this allowed local attackers (close to the irda port) to potentially corrupt memory. (CVE-2011-1180)\n\n - A system out of memory condition (denial of service) could be triggered with a large socket backlog, exploitable by local users. This has been addressed by backlog limiting. (CVE-2010-4251)\n\n - The Radeon GPU drivers in the Linux kernel did not properly validate data related to the AA resolve registers, which allowed local users to write to arbitrary memory locations associated with (1) Video RAM (aka VRAM) or (2) the Graphics Translation Table (GTT) via crafted values. (CVE-2011-1016)\n\n - Boundschecking was missing in AARESOLVE_OFFSET, which allowed local attackers to overwrite kernel memory and so escalate privileges or crash the kernel.\n (CVE-2011-1573)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2011-04-28T00:00:00", "type": "nessus", "title": "SuSE 11.1 Security Update : Linux kernel (SAT Patch Numbers 4384 / 4386)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3880", "CVE-2010-4251", "CVE-2010-4656", "CVE-2011-0191", "CVE-2011-0521", "CVE-2011-0712", "CVE-2011-1013", "CVE-2011-1016", "CVE-2011-1082", "CVE-2011-1090", "CVE-2011-1093", "CVE-2011-1163", "CVE-2011-1180", "CVE-2011-1182", "CVE-2011-1476", "CVE-2011-1477", "CVE-2011-1478", "CVE-2011-1493", "CVE-2011-1573"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:11:btrfs-kmp-default", "p-cpe:/a:novell:suse_linux:11:btrfs-kmp-pae", "p-cpe:/a:novell:suse_linux:11:btrfs-kmp-xen", "p-cpe:/a:novell:suse_linux:11:ext4dev-kmp-default", "p-cpe:/a:novell:suse_linux:11:ext4dev-kmp-pae", "p-cpe:/a:novell:suse_linux:11:ext4dev-kmp-xen", "p-cpe:/a:novell:suse_linux:11:hyper-v-kmp-default", "p-cpe:/a:novell:suse_linux:11:hyper-v-kmp-pae", "p-cpe:/a:novell:suse_linux:11:kernel-default", "p-cpe:/a:novell:suse_linux:11:kernel-default-base", "p-cpe:/a:novell:suse_linux:11:kernel-default-devel", "p-cpe:/a:novell:suse_linux:11:kernel-default-extra", "p-cpe:/a:novell:suse_linux:11:kernel-default-man", "p-cpe:/a:novell:suse_linux:11:kernel-desktop-devel", "p-cpe:/a:novell:suse_linux:11:kernel-ec2", "p-cpe:/a:novell:suse_linux:11:kernel-ec2-base", "p-cpe:/a:novell:suse_linux:11:kernel-pae", "p-cpe:/a:novell:suse_linux:11:kernel-pae-base", "p-cpe:/a:novell:suse_linux:11:kernel-pae-devel", "p-cpe:/a:novell:suse_linux:11:kernel-pae-extra", "p-cpe:/a:novell:suse_linux:11:kernel-source", "p-cpe:/a:novell:suse_linux:11:kernel-syms", "p-cpe:/a:novell:suse_linux:11:kernel-trace", "p-cpe:/a:novell:suse_linux:11:kernel-trace-base", "p-cpe:/a:novell:suse_linux:11:kernel-trace-devel", "p-cpe:/a:novell:suse_linux:11:kernel-xen", "p-cpe:/a:novell:suse_linux:11:kernel-xen-base", "p-cpe:/a:novell:suse_linux:11:kernel-xen-devel", "p-cpe:/a:novell:suse_linux:11:kernel-xen-extra", "cpe:/o:novell:suse_linux:11"], "id": "SUSE_11_KERNEL-110414.NASL", "href": "https://www.tenable.com/plugins/nessus/53570", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(53570);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2010-3880\", \"CVE-2010-4251\", \"CVE-2010-4656\", \"CVE-2011-0191\", \"CVE-2011-0521\", \"CVE-2011-0712\", \"CVE-2011-1013\", \"CVE-2011-1016\", \"CVE-2011-1082\", \"CVE-2011-1090\", \"CVE-2011-1093\", \"CVE-2011-1163\", \"CVE-2011-1180\", \"CVE-2011-1182\", \"CVE-2011-1476\", \"CVE-2011-1477\", \"CVE-2011-1478\", \"CVE-2011-1493\", \"CVE-2011-1573\");\n\n script_name(english:\"SuSE 11.1 Security Update : Linux kernel (SAT Patch Numbers 4384 / 4386)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The SUSE Linux Enterprise 11 Service Pack 1 kernel was updated to\n2.6.32.36 and fixes various bugs and security issues.\n\nThe following security issues were fixed :\n\n - When parsing the FAC_NATIONAL_DIGIS facilities field, it\n was possible for a remote host to provide more\n digipeaters than expected, resulting in heap corruption.\n (CVE-2011-1493)\n\n - (no CVEs assigned yet): In the rose networking stack,\n when parsing the FAC_CCITT_DEST_NSAP and\n FAC_CCITT_SRC_NSAP facilities fields, a remote host\n could provide a length of less than 10, resulting in an\n underflow in a memcpy size, causing a kernel panic due\n to massive heap corruption. A length of greater than 20\n results in a stack overflow of the callsign array\n\n - The code for evaluating OSF partitions (in\n fs/partitions/osf.c) contained a bug that leaks data\n from kernel heap memory to userspace for certain\n corrupted OSF partitions. (CVE-2011-1163)\n\n - A bug in the order of dccp_rcv_state_process() was fixed\n that still permitted reception even after closing the\n socket. A Reset after close thus causes a NULL pointer\n dereference by not preventing operations on an already\n torn-down socket. (CVE-2011-1093)\n\n - A signedness issue in drm_modeset_ctl() could be used by\n local attackers with access to the drm devices to\n potentially crash the kernel or escalate privileges.\n (CVE-2011-1013)\n\n - The epoll subsystem in Linux did not prevent users from\n creating circular epoll file structures, potentially\n leading to a denial of service (kernel deadlock).\n (CVE-2011-1082)\n\n - Multiple buffer overflows in the caiaq Native\n Instruments USB audio functionality in the Linux kernel\n might have allowed attackers to cause a denial of\n service or possibly have unspecified other impact via a\n long USB device name, related to (1) the\n snd_usb_caiaq_audio_init function in\n sound/usb/caiaq/audio.c and (2) the\n snd_usb_caiaq_midi_init function in\n sound/usb/caiaq/midi.c. (CVE-2011-0712)\n\n - Local attackers could send signals to their programs\n that looked like coming from the kernel, potentially\n gaining privileges in the context of setuid programs.\n (CVE-2011-1182)\n\n - An issue in the core GRO code where an skb belonging to\n an unknown VLAN is reused could result in a NULL pointer\n dereference. (CVE-2011-1478)\n\n - Specially crafted requests may be written to\n /dev/sequencer resulting in an underflow when\n calculating a size for a copy_from_user() operation in\n the driver for MIDI interfaces. On x86, this just\n returns an error, but it could have caused memory\n corruption on other architectures. Other malformed\n requests could have resulted in the use of uninitialized\n variables. (CVE-2011-1476)\n\n - Due to a failure to validate user-supplied indexes in\n the driver for Yamaha YM3812 and OPL-3 chips, a\n specially crafted ioctl request could have been sent to\n /dev/sequencer, resulting in reading and writing beyond\n the bounds of heap buffers, and potentially allowing\n privilege escalation. (CVE-2011-1477)\n\n - A information leak in the XFS geometry calls could be\n used by local attackers to gain access to kernel\n information. (CVE-2011-0191)\n\n - A page allocator issue in NFS v4 ACL handling that could\n lead to a denial of service (crash) was fixed.\n (CVE-2011-1090)\n\n - net/ipv4/inet_diag.c in the Linux kernel did not\n properly audit INET_DIAG bytecode, which allowed local\n users to cause a denial of service (kernel infinite\n loop) via crafted INET_DIAG_REQ_BYTECODE instructions in\n a netlink message that contains multiple attribute\n elements, as demonstrated by INET_DIAG_BC_JMP\n instructions. (CVE-2010-3880)\n\n - Fixed a buffer size issue in 'usb iowarrior' module,\n where a malicious device could overflow a kernel buffer.\n (CVE-2010-4656)\n\n - The dvb_ca_ioctl function in\n drivers/media/dvb/ttpci/av7110_ca.c in the Linux kernel\n did not check the sign of a certain integer field, which\n allowed local users to cause a denial of service (memory\n corruption) or possibly have unspecified other impact\n via a negative value. (CVE-2011-0521)\n\n - In the IrDA module, length fields provided by a peer for\n names and attributes may be longer than the destination\n array sizes and were not checked, this allowed local\n attackers (close to the irda port) to potentially\n corrupt memory. (CVE-2011-1180)\n\n - A system out of memory condition (denial of service)\n could be triggered with a large socket backlog,\n exploitable by local users. This has been addressed by\n backlog limiting. (CVE-2010-4251)\n\n - The Radeon GPU drivers in the Linux kernel did not\n properly validate data related to the AA resolve\n registers, which allowed local users to write to\n arbitrary memory locations associated with (1) Video RAM\n (aka VRAM) or (2) the Graphics Translation Table (GTT)\n via crafted values. (CVE-2011-1016)\n\n - Boundschecking was missing in AARESOLVE_OFFSET, which\n allowed local attackers to overwrite kernel memory and\n so escalate privileges or crash the kernel.\n (CVE-2011-1573)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=558740\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=566768\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=620929\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=622597\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=622868\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=629170\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=632317\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=637377\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=643266\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=644630\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=649473\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=650545\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=651599\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=654169\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=655973\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=656219\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=656587\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=658413\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=660507\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=663313\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=663513\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=666836\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=666842\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=667766\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=668101\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=668895\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=668896\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=668898\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=669058\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=669571\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=669889\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=670154\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=670615\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=670979\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=671296\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=671943\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=672453\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=672499\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=672505\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=673516\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=673934\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=674549\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=674691\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=674693\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=675115\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=675963\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=676202\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=676419\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=677286\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=677391\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=677398\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=677563\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=677676\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=677783\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=678466\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=679545\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=679588\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=679812\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=680845\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=681175\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=681497\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=681826\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=68199\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=682333\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=682940\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=682941\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=682965\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=683569\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=684085\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=684248\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=686813\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3880.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-4251.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-4656.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-0191.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-0521.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-0712.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-1013.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-1016.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-1082.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-1090.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-1093.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-1163.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-1180.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-1182.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-1476.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-1477.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-1478.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-1493.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-1573.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Apply SAT patch number 4384 / 4386 as appropriate.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:btrfs-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:btrfs-kmp-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:btrfs-kmp-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:ext4dev-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:ext4dev-kmp-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:ext4dev-kmp-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:hyper-v-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:hyper-v-kmp-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-default-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-default-man\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-desktop-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-ec2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-ec2-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-pae-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-pae-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-pae-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-trace\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-trace-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-trace-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-xen-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kernel-xen-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/04/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\npl = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(pl) || int(pl) != 1) audit(AUDIT_OS_NOT, \"SuSE 11.1\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"btrfs-kmp-default-0_2.6.32.36_0.5-0.3.40\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"btrfs-kmp-pae-0_2.6.32.36_0.5-0.3.40\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"btrfs-kmp-xen-0_2.6.32.36_0.5-0.3.40\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"hyper-v-kmp-default-0_2.6.32.36_0.5-0.14.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"hyper-v-kmp-pae-0_2.6.32.36_0.5-0.14.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"kernel-default-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"kernel-default-base-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"kernel-default-devel-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"kernel-default-extra-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"kernel-desktop-devel-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"kernel-pae-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"kernel-pae-base-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"kernel-pae-devel-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"kernel-pae-extra-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"kernel-source-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"kernel-syms-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"kernel-xen-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"kernel-xen-base-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"kernel-xen-devel-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"kernel-xen-extra-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"i586\", reference:\"btrfs-kmp-default-0_2.6.32.36_0.5-0.3.40\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"i586\", reference:\"btrfs-kmp-pae-0_2.6.32.36_0.5-0.3.40\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"i586\", reference:\"btrfs-kmp-xen-0_2.6.32.36_0.5-0.3.40\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"i586\", reference:\"ext4dev-kmp-default-0_2.6.32.36_0.5-7.9.8\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"i586\", reference:\"ext4dev-kmp-pae-0_2.6.32.36_0.5-7.9.8\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"i586\", reference:\"ext4dev-kmp-xen-0_2.6.32.36_0.5-7.9.8\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"i586\", reference:\"hyper-v-kmp-default-0_2.6.32.36_0.5-0.14.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"i586\", reference:\"hyper-v-kmp-pae-0_2.6.32.36_0.5-0.14.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"i586\", reference:\"kernel-default-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"i586\", reference:\"kernel-default-base-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"i586\", reference:\"kernel-default-devel-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"i586\", reference:\"kernel-ec2-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"i586\", reference:\"kernel-ec2-base-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"i586\", reference:\"kernel-pae-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"i586\", reference:\"kernel-pae-base-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"i586\", reference:\"kernel-pae-devel-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"i586\", reference:\"kernel-source-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"i586\", reference:\"kernel-syms-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"i586\", reference:\"kernel-trace-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"i586\", reference:\"kernel-trace-base-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"i586\", reference:\"kernel-trace-devel-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"i586\", reference:\"kernel-xen-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"i586\", reference:\"kernel-xen-base-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"i586\", reference:\"kernel-xen-devel-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"s390x\", reference:\"btrfs-kmp-default-0_2.6.32.36_0.5-0.3.40\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"s390x\", reference:\"ext4dev-kmp-default-0_2.6.32.36_0.5-7.9.8\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"s390x\", reference:\"kernel-default-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"s390x\", reference:\"kernel-default-base-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"s390x\", reference:\"kernel-default-devel-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"s390x\", reference:\"kernel-default-man-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"s390x\", reference:\"kernel-source-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"s390x\", reference:\"kernel-syms-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"s390x\", reference:\"kernel-trace-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"s390x\", reference:\"kernel-trace-base-2.6.32.36-0.5.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:1, cpu:\"s390x\", reference:\"kernel-trace-devel-2.6.32.36-0.5.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-18T14:31:37", "description": "The openSUSE 11.4 kernel was updated to 2.6.37.6 fixing lots of bugs and security issues.\n\nFollowing security issues have been fixed: CVE-2011-1493: In the rose networking stack, when parsing the FAC_NATIONAL_DIGIS facilities field, it was possible for a remote host to provide more digipeaters than expected, resulting in heap corruption. Check against ROSE_MAX_DIGIS to prevent overflows, and abort facilities parsing on failure.\n\nCVE-2011-1182: Local attackers could send signals to their programs that looked like coming from the kernel, potentially gaining privileges in the context of setuid programs.\n\nCVE-2011-1478: An issue in the core GRO code where an skb belonging to an unknown VLAN is reused could result in a NULL pointer dereference.\n\nCVE-2011-1476: Specially crafted requests may be written to /dev/sequencer resulting in an underflow when calculating a size for a copy_from_user() operation in the driver for MIDI interfaces. On x86, this just returns an error, but it could have caused memory corruption on other architectures. Other malformed requests could have resulted in the use of uninitialized variables.\n\nCVE-2011-1477: Due to a failure to validate user-supplied indexes in the driver for Yamaha YM3812 and OPL-3 chips, a specially crafted ioctl request could have been sent to /dev/sequencer, resulting in reading and writing beyond the bounds of heap buffers, and potentially allowing privilege escalation.\n\nCVE-2011-0191: A information leak in the XFS geometry calls could be used by local attackers to gain access to kernel information.\n\nCVE-2011-0711: A stack memory information leak in the xfs FSGEOMETRY_V1 ioctl was fixed.\n\nCVE-2011-0521: The dvb_ca_ioctl function in drivers/media/dvb/ttpci/av7110_ca.c in the Linux kernel did not check the sign of a certain integer field, which allowed local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a negative value.\n\nCVE-2011-1010: The code for evaluating Mac partitions (in fs/partitions/mac.c) contained a bug that could crash the kernel for certain corrupted Mac partitions.\n\nCVE-2011-0712: Multiple buffer overflows in the caiaq Native Instruments USB audio functionality in the Linux kernel might have allowed attackers to cause a denial of service or possibly have unspecified other impact via a long USB device name, related to (1) the snd_usb_caiaq_audio_init function in sound/usb/caiaq/audio.c and (2) the snd_usb_caiaq_midi_init function in sound/usb/caiaq/midi.c.\n\nCVE-2011-1013: A signedness issue in the drm ioctl handling could be used by local attackers to potentially overflow kernel buffers and execute code.\n\nCVE-2011-1082: The epoll subsystem in Linux did not prevent users from creating circular epoll file structures, potentially leading to a denial of service (kernel deadlock).\n\nCVE-2010-4650: A kernel buffer overflow in the cuse server module was fixed, which might have allowed local privilege escalation. However only CUSE servers could exploit it and /dev/cuse is normally restricted to root.\n\nCVE-2011-1093: A bug was fixed in the DCCP networking stack where the order of dccp_rcv_state_process() still permitted reception even after closing the socket. A Reset after close thus causes a NULL pointer dereference by not preventing operations on an already torn-down socket.\n\nCVE-2011-1163: The code for evaluating OSF partitions (in fs/partitions/osf.c) contained a bug that leaks data from kernel heap memory to userspace for certain corrupted OSF partitions.\n\nCVE-2011-1012: The code for evaluating LDM partitions (in fs/partitions/ldm.c) contained a bug that could crash the kernel for certain corrupted LDM partitions.\n\nCVE-2011-1581: Doing bridging with devices with more than 16 receive queues could crash the kernel.\n\nCVE-2011-1160: Kernel information via the TPM devices could by used by local attackers to read kernel memory.\n\nCVE-2011-1577: The Linux kernel automatically evaluated partition tables of storage devices. The code for evaluating EFI GUID partitions (in fs/partitions/efi.c) contained a bug that causes a kernel oops on certain corrupted GUID partition tables, which might be used by local attackers to crash the kernel or potentially execute code.\n\nCVE-2011-1180: In the IrDA module, length fields provided by a peer for names and attributes may be longer than the destination array sizes and were not checked, this allowed local attackers (close to the irda port) to potentially corrupt memory.\n\nCVE-2011-1016: The Radeon GPU drivers in the Linux kernel did not properly validate data related to the AA resolve registers, which allowed local users to write to arbitrary memory locations associated with (1) Video RAM (aka VRAM) or (2) the Graphics Translation Table (GTT) via crafted values.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2014-06-13T00:00:00", "type": "nessus", "title": "openSUSE Security Update : kernel (openSUSE-SU-2011:0416-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4650", "CVE-2011-0191", "CVE-2011-0521", "CVE-2011-0711", "CVE-2011-0712", "CVE-2011-1010", "CVE-2011-1012", "CVE-2011-1013", "CVE-2011-1016", "CVE-2011-1082", "CVE-2011-1093", "CVE-2011-1160", "CVE-2011-1163", "CVE-2011-1180", "CVE-2011-1182", "CVE-2011-1476", "CVE-2011-1477", "CVE-2011-1478", "CVE-2011-1493", "CVE-2011-1577", "CVE-2011-1581"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:kernel-debug", "p-cpe:/a:novell:opensuse:kernel-debug-base", "p-cpe:/a:novell:opensuse:kernel-debug-base-debuginfo", "p-cpe:/a:novell:opensuse:kernel-debug-debuginfo", "p-cpe:/a:novell:opensuse:kernel-debug-debugsource", "p-cpe:/a:novell:opensuse:kernel-debug-devel", "p-cpe:/a:novell:opensuse:kernel-debug-devel-debuginfo", "p-cpe:/a:novell:opensuse:kernel-default", "p-cpe:/a:novell:opensuse:kernel-default-base", "p-cpe:/a:novell:opensuse:kernel-default-base-debuginfo", "p-cpe:/a:novell:opensuse:kernel-default-debuginfo", "p-cpe:/a:novell:opensuse:kernel-default-debugsource", "p-cpe:/a:novell:opensuse:kernel-default-devel", "p-cpe:/a:novell:opensuse:kernel-default-devel-debuginfo", "p-cpe:/a:novell:opensuse:kernel-desktop", "p-cpe:/a:novell:opensuse:kernel-desktop-base", "p-cpe:/a:novell:opensuse:kernel-desktop-base-debuginfo", "p-cpe:/a:novell:opensuse:kernel-desktop-debuginfo", "p-cpe:/a:novell:opensuse:kernel-desktop-debugsource", "p-cpe:/a:novell:opensuse:kernel-desktop-devel", "p-cpe:/a:novell:opensuse:kernel-desktop-devel-debuginfo", "p-cpe:/a:novell:opensuse:kernel-devel", "p-cpe:/a:novell:opensuse:kernel-ec2", "p-cpe:/a:novell:opensuse:kernel-ec2-base", "p-cpe:/a:novell:opensuse:kernel-ec2-base-debuginfo", "p-cpe:/a:novell:opensuse:kernel-ec2-debuginfo", "p-cpe:/a:novell:opensuse:kernel-ec2-debugsource", "p-cpe:/a:novell:opensuse:kernel-ec2-devel", "p-cpe:/a:novell:opensuse:kernel-ec2-devel-debuginfo", "p-cpe:/a:novell:opensuse:kernel-ec2-extra", "p-cpe:/a:novell:opensuse:kernel-ec2-extra-debuginfo", "p-cpe:/a:novell:opensuse:kernel-pae", "p-cpe:/a:novell:opensuse:kernel-pae-base", "p-cpe:/a:novell:opensuse:kernel-pae-base-debuginfo", "p-cpe:/a:novell:opensuse:kernel-pae-debuginfo", "p-cpe:/a:novell:opensuse:kernel-pae-debugsource", "p-cpe:/a:novell:opensuse:kernel-pae-devel", "p-cpe:/a:novell:opensuse:kernel-pae-devel-debuginfo", "p-cpe:/a:novell:opensuse:kernel-source", "p-cpe:/a:novell:opensuse:kernel-source-vanilla", "p-cpe:/a:novell:opensuse:kernel-syms", "p-cpe:/a:novell:opensuse:kernel-trace", "p-cpe:/a:novell:opensuse:kernel-trace-base", "p-cpe:/a:novell:opensuse:kernel-trace-base-debuginfo", "p-cpe:/a:novell:opensuse:kernel-trace-debuginfo", "p-cpe:/a:novell:opensuse:kernel-trace-debugsource", "p-cpe:/a:novell:opensuse:kernel-trace-devel", "p-cpe:/a:novell:opensuse:kernel-trace-devel-debuginfo", "p-cpe:/a:novell:opensuse:kernel-vanilla", "p-cpe:/a:novell:opensuse:kernel-vanilla-base", "p-cpe:/a:novell:opensuse:kernel-vanilla-base-debuginfo", "p-cpe:/a:novell:opensuse:kernel-vanilla-debuginfo", "p-cpe:/a:novell:opensuse:kernel-vanilla-debugsource", "p-cpe:/a:novell:opensuse:kernel-vanilla-devel", "p-cpe:/a:novell:opensuse:kernel-vanilla-devel-debuginfo", "p-cpe:/a:novell:opensuse:kernel-vmi", "p-cpe:/a:novell:opensuse:kernel-vmi-base", "p-cpe:/a:novell:opensuse:kernel-vmi-base-debuginfo", "p-cpe:/a:novell:opensuse:kernel-vmi-debuginfo", "p-cpe:/a:novell:opensuse:kernel-vmi-debugsource", "p-cpe:/a:novell:opensuse:kernel-vmi-devel", "p-cpe:/a:novell:opensuse:kernel-vmi-devel-debuginfo", "p-cpe:/a:novell:opensuse:kernel-xen", "p-cpe:/a:novell:opensuse:kernel-xen-base", "p-cpe:/a:novell:opensuse:kernel-xen-base-debuginfo", "p-cpe:/a:novell:opensuse:kernel-xen-debuginfo", "p-cpe:/a:novell:opensuse:kernel-xen-debugsource", "p-cpe:/a:novell:opensuse:kernel-xen-devel", "p-cpe:/a:novell:opensuse:kernel-xen-devel-debuginfo", "p-cpe:/a:novell:opensuse:preload-kmp-default", "p-cpe:/a:novell:opensuse:preload-kmp-default-debuginfo", "p-cpe:/a:novell:opensuse:preload-kmp-desktop", "p-cpe:/a:novell:opensuse:preload-kmp-desktop-debuginfo", "cpe:/o:novell:opensuse:11.4"], "id": "SUSE_11_4_KERNEL-110426.NASL", "href": "https://www.tenable.com/plugins/nessus/75879", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update kernel-4437.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(75879);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2010-4650\", \"CVE-2011-0191\", \"CVE-2011-0521\", \"CVE-2011-0711\", \"CVE-2011-0712\", \"CVE-2011-1010\", \"CVE-2011-1012\", \"CVE-2011-1013\", \"CVE-2011-1016\", \"CVE-2011-1082\", \"CVE-2011-1093\", \"CVE-2011-1160\", \"CVE-2011-1163\", \"CVE-2011-1180\", \"CVE-2011-1182\", \"CVE-2011-1476\", \"CVE-2011-1477\", \"CVE-2011-1478\", \"CVE-2011-1493\", \"CVE-2011-1577\", \"CVE-2011-1581\");\n\n script_name(english:\"openSUSE Security Update : kernel (openSUSE-SU-2011:0416-1)\");\n script_summary(english:\"Check for the kernel-4437 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The openSUSE 11.4 kernel was updated to 2.6.37.6 fixing lots of bugs\nand security issues.\n\nFollowing security issues have been fixed: CVE-2011-1493: In the rose\nnetworking stack, when parsing the FAC_NATIONAL_DIGIS facilities\nfield, it was possible for a remote host to provide more digipeaters\nthan expected, resulting in heap corruption. Check against\nROSE_MAX_DIGIS to prevent overflows, and abort facilities parsing on\nfailure.\n\nCVE-2011-1182: Local attackers could send signals to their programs\nthat looked like coming from the kernel, potentially gaining\nprivileges in the context of setuid programs.\n\nCVE-2011-1478: An issue in the core GRO code where an skb belonging to\nan unknown VLAN is reused could result in a NULL pointer dereference.\n\nCVE-2011-1476: Specially crafted requests may be written to\n/dev/sequencer resulting in an underflow when calculating a size for a\ncopy_from_user() operation in the driver for MIDI interfaces. On x86,\nthis just returns an error, but it could have caused memory corruption\non other architectures. Other malformed requests could have resulted\nin the use of uninitialized variables.\n\nCVE-2011-1477: Due to a failure to validate user-supplied indexes in\nthe driver for Yamaha YM3812 and OPL-3 chips, a specially crafted\nioctl request could have been sent to /dev/sequencer, resulting in\nreading and writing beyond the bounds of heap buffers, and potentially\nallowing privilege escalation.\n\nCVE-2011-0191: A information leak in the XFS geometry calls could be\nused by local attackers to gain access to kernel information.\n\nCVE-2011-0711: A stack memory information leak in the xfs\nFSGEOMETRY_V1 ioctl was fixed.\n\nCVE-2011-0521: The dvb_ca_ioctl function in\ndrivers/media/dvb/ttpci/av7110_ca.c in the Linux kernel did not check\nthe sign of a certain integer field, which allowed local users to\ncause a denial of service (memory corruption) or possibly have\nunspecified other impact via a negative value.\n\nCVE-2011-1010: The code for evaluating Mac partitions (in\nfs/partitions/mac.c) contained a bug that could crash the kernel for\ncertain corrupted Mac partitions.\n\nCVE-2011-0712: Multiple buffer overflows in the caiaq Native\nInstruments USB audio functionality in the Linux kernel might have\nallowed attackers to cause a denial of service or possibly have\nunspecified other impact via a long USB device name, related to (1)\nthe snd_usb_caiaq_audio_init function in sound/usb/caiaq/audio.c and\n(2) the snd_usb_caiaq_midi_init function in sound/usb/caiaq/midi.c.\n\nCVE-2011-1013: A signedness issue in the drm ioctl handling could be\nused by local attackers to potentially overflow kernel buffers and\nexecute code.\n\nCVE-2011-1082: The epoll subsystem in Linux did not prevent users from\ncreating circular epoll file structures, potentially leading to a\ndenial of service (kernel deadlock).\n\nCVE-2010-4650: A kernel buffer overflow in the cuse server module was\nfixed, which might have allowed local privilege escalation. However\nonly CUSE servers could exploit it and /dev/cuse is normally\nrestricted to root.\n\nCVE-2011-1093: A bug was fixed in the DCCP networking stack where the\norder of dccp_rcv_state_process() still permitted reception even after\nclosing the socket. A Reset after close thus causes a NULL pointer\ndereference by not preventing operations on an already torn-down\nsocket.\n\nCVE-2011-1163: The code for evaluating OSF partitions (in\nfs/partitions/osf.c) contained a bug that leaks data from kernel heap\nmemory to userspace for certain corrupted OSF partitions.\n\nCVE-2011-1012: The code for evaluating LDM partitions (in\nfs/partitions/ldm.c) contained a bug that could crash the kernel for\ncertain corrupted LDM partitions.\n\nCVE-2011-1581: Doing bridging with devices with more than 16 receive\nqueues could crash the kernel.\n\nCVE-2011-1160: Kernel information via the TPM devices could by used by\nlocal attackers to read kernel memory.\n\nCVE-2011-1577: The Linux kernel automatically evaluated partition\ntables of storage devices. The code for evaluating EFI GUID partitions\n(in fs/partitions/efi.c) contained a bug that causes a kernel oops on\ncertain corrupted GUID partition tables, which might be used by local\nattackers to crash the kernel or potentially execute code.\n\nCVE-2011-1180: In the IrDA module, length fields provided by a peer\nfor names and attributes may be longer than the destination array\nsizes and were not checked, this allowed local attackers (close to the\nirda port) to potentially corrupt memory.\n\nCVE-2011-1016: The Radeon GPU drivers in the Linux kernel did not\nproperly validate data related to the AA resolve registers, which\nallowed local users to write to arbitrary memory locations associated\nwith (1) Video RAM (aka VRAM) or (2) the Graphics Translation Table\n(GTT) via crafted values.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=554081\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=558740\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=607239\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=610598\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=644807\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=648742\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=662733\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=662945\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=667793\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=668101\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=668437\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=668880\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=669394\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=669889\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=669937\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=672505\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=672524\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=673934\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=673992\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=674245\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=674254\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=674691\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=674693\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=674735\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=676202\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=677256\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=677676\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=677738\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=678123\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=678466\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=678472\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=678497\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=678970\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=679016\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=679143\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=679588\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=679898\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=680040\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=680073\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=680510\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=680816\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=680932\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=681076\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=681175\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=681297\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=681497\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=681826\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=681999\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=682725\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=682965\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=684112\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=684248\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=685469\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=687113\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=687116\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2011-04/msg00083.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-desktop\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-desktop-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-desktop-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-desktop-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-desktop-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-desktop-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-desktop-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-ec2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-ec2-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-ec2-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-ec2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-ec2-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-ec2-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-ec2-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-ec2-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-ec2-extra-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-pae-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-pae-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-pae-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-pae-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-pae-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-pae-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-source-vanilla\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-trace\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-trace-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-trace-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-trace-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-trace-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-trace-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-trace-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vmi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vmi-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vmi-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vmi-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vmi-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vmi-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vmi-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-xen-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-xen-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-xen-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-xen-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-xen-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:preload-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:preload-kmp-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:preload-kmp-desktop\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:preload-kmp-desktop-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.4\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/04/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.4)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.4\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-debug-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-debug-base-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-debug-base-debuginfo-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-debug-debuginfo-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-debug-debugsource-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-debug-devel-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-debug-devel-debuginfo-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-default-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-default-base-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-default-base-debuginfo-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-default-debuginfo-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-default-debugsource-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-default-devel-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-default-devel-debuginfo-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-desktop-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-desktop-base-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-desktop-base-debuginfo-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-desktop-debuginfo-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-desktop-debugsource-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-desktop-devel-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-desktop-devel-debuginfo-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-devel-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-ec2-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-ec2-base-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-ec2-base-debuginfo-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-ec2-debuginfo-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-ec2-debugsource-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-ec2-devel-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-ec2-devel-debuginfo-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-ec2-extra-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-ec2-extra-debuginfo-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-pae-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-pae-base-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-pae-base-debuginfo-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-pae-debuginfo-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-pae-debugsource-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-pae-devel-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-pae-devel-debuginfo-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-source-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-source-vanilla-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-syms-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-trace-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-trace-base-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-trace-base-debuginfo-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-trace-debuginfo-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-trace-debugsource-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-trace-devel-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-trace-devel-debuginfo-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-vanilla-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-vanilla-base-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-vanilla-base-debuginfo-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-vanilla-debuginfo-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-vanilla-debugsource-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-vanilla-devel-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-vanilla-devel-debuginfo-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-vmi-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-vmi-base-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-vmi-base-debuginfo-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-vmi-debuginfo-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-vmi-debugsource-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-vmi-devel-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-vmi-devel-debuginfo-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-xen-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-xen-base-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-xen-base-debuginfo-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-xen-debuginfo-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-xen-debugsource-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-xen-devel-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"kernel-xen-devel-debuginfo-2.6.37.6-0.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"preload-kmp-default-1.2_k2.6.37.6_0.5-6.7.3\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"preload-kmp-default-debuginfo-1.2_k2.6.37.6_0.5-6.7.3\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"preload-kmp-desktop-1.2_k2.6.37.6_0.5-6.7.3\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"preload-kmp-desktop-debuginfo-1.2_k2.6.37.6_0.5-6.7.3\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:35:26", "description": "It was discovered that the /proc filesystem did not correctly handle permission changes when programs executed. A local attacker could hold open files to examine details about programs running with higher privileges, potentially increasing the chances of exploiting additional vulnerabilities. (CVE-2011-1020)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly clear memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1078)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly check that device name strings were NULL terminated. A local attacker could exploit this to crash the system, leading to a denial of service, or leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1079)\n\nVasiliy Kulikov discovered that bridge network filtering did not check that name fields were NULL terminated. A local attacker could exploit this to leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1080)\n\nJohan Hovold discovered that the DCCP network stack did not correctly handle certain packet combinations. A remote attacker could send specially crafted network traffic that would crash the system, leading to a denial of service. (CVE-2011-1093)\n\nPeter Huewe discovered that the TPM device did not correctly initialize memory. A local attacker could exploit this to read kernel heap memory contents, leading to a loss of privacy. (CVE-2011-1160)\n\nDan Rosenberg discovered that the IRDA subsystem did not correctly check certain field sizes. If a system was using IRDA, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-1180)\n\nDan Rosenberg discovered that the X.25 Rose network stack did not correctly handle certain fields. If a system was running with Rose enabled, a remote attacker could send specially crafted traffic to gain root privileges. (CVE-2011-1493)\n\nIt was discovered that Bluetooth l2cap and rfcomm did not correctly initialize structures. A local attacker could exploit this to read portions of the kernel stack, leading to a loss of privacy.\n(CVE-2011-2492)\n\nDan Rosenberg discovered flaws in the linux Rose (X.25 PLP) layer used by amateur radio. A local user or a remote user on an X.25 network could exploit these flaws to execute arbitrary code as root.\n(CVE-2011-4913)\n\nBen Hutchings discovered several flaws in the Linux Rose (X.25 PLP) layer. A local user or a remote user on an X.25 network could exploit these flaws to execute arbitrary code as root. (CVE-2011-4914).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2011-08-20T00:00:00", "type": "nessus", "title": "Ubuntu 8.04 LTS : linux vulnerabilities (USN-1189-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-1020", "CVE-2011-1078", "CVE-2011-1079", "CVE-2011-1080", "CVE-2011-1093", "CVE-2011-1160", "CVE-2011-1180", "CVE-2011-1493", "CVE-2011-2492", "CVE-2011-4913", "CVE-2011-4914"], "modified": "2019-10-16T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-386", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-lpia", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-lpiacompat", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-openvz", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-rt", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-server", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-virtual", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-xen", "cpe:/o:canonical:ubuntu_linux:8.04:-:lts"], "id": "UBUNTU_USN-1189-1.NASL", "href": "https://www.tenable.com/plugins/nessus/55922", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-1189-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(55922);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2019/10/16 10:34:22\");\n\n script_cve_id(\"CVE-2011-1020\", \"CVE-2011-1078\", \"CVE-2011-1079\", \"CVE-2011-1080\", \"CVE-2011-1093\", \"CVE-2011-1160\", \"CVE-2011-1180\", \"CVE-2011-1493\", \"CVE-2011-2492\", \"CVE-2011-4913\", \"CVE-2011-4914\");\n script_bugtraq_id(46567, 46616, 46793, 46866, 46935, 46980, 48441);\n script_xref(name:\"USN\", value:\"1189-1\");\n\n script_name(english:\"Ubuntu 8.04 LTS : linux vulnerabilities (USN-1189-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that the /proc filesystem did not correctly handle\npermission changes when programs executed. A local attacker could hold\nopen files to examine details about programs running with higher\nprivileges, potentially increasing the chances of exploiting\nadditional vulnerabilities. (CVE-2011-1020)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly\nclear memory. A local attacker could exploit this to read kernel stack\nmemory, leading to a loss of privacy. (CVE-2011-1078)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly\ncheck that device name strings were NULL terminated. A local attacker\ncould exploit this to crash the system, leading to a denial of\nservice, or leak contents of kernel stack memory, leading to a loss of\nprivacy. (CVE-2011-1079)\n\nVasiliy Kulikov discovered that bridge network filtering did not check\nthat name fields were NULL terminated. A local attacker could exploit\nthis to leak contents of kernel stack memory, leading to a loss of\nprivacy. (CVE-2011-1080)\n\nJohan Hovold discovered that the DCCP network stack did not correctly\nhandle certain packet combinations. A remote attacker could send\nspecially crafted network traffic that would crash the system, leading\nto a denial of service. (CVE-2011-1093)\n\nPeter Huewe discovered that the TPM device did not correctly\ninitialize memory. A local attacker could exploit this to read kernel\nheap memory contents, leading to a loss of privacy. (CVE-2011-1160)\n\nDan Rosenberg discovered that the IRDA subsystem did not correctly\ncheck certain field sizes. If a system was using IRDA, a remote\nattacker could send specially crafted traffic to crash the system or\ngain root privileges. (CVE-2011-1180)\n\nDan Rosenberg discovered that the X.25 Rose network stack did not\ncorrectly handle certain fields. If a system was running with Rose\nenabled, a remote attacker could send specially crafted traffic to\ngain root privileges. (CVE-2011-1493)\n\nIt was discovered that Bluetooth l2cap and rfcomm did not correctly\ninitialize structures. A local attacker could exploit this to read\nportions of the kernel stack, leading to a loss of privacy.\n(CVE-2011-2492)\n\nDan Rosenberg discovered flaws in the linux Rose (X.25 PLP) layer used\nby amateur radio. A local user or a remote user on an X.25 network\ncould exploit these flaws to execute arbitrary code as root.\n(CVE-2011-4913)\n\nBen Hutchings discovered several flaws in the Linux Rose (X.25 PLP)\nlayer. A local user or a remote user on an X.25 network could exploit\nthese flaws to execute arbitrary code as root. (CVE-2011-4914).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/1189-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-386\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-lpia\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-lpiacompat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-openvz\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:8.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/02/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/08/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/08/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(8\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 8.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2011-1020\", \"CVE-2011-1078\", \"CVE-2011-1079\", \"CVE-2011-1080\", \"CVE-2011-1093\", \"CVE-2011-1160\", \"CVE-2011-1180\", \"CVE-2011-1493\", \"CVE-2011-2492\", \"CVE-2011-4913\", \"CVE-2011-4914\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-1189-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"8.04\", pkgname:\"linux-image-2.6.24-29-386\", pkgver:\"2.6.24-29.93\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"linux-image-2.6.24-29-generic\", pkgver:\"2.6.24-29.93\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"linux-image-2.6.24-29-lpia\", pkgver:\"2.6.24-29.93\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"linux-image-2.6.24-29-lpiacompat\", pkgver:\"2.6.24-29.93\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"linux-image-2.6.24-29-openvz\", pkgver:\"2.6.24-29.93\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"linux-image-2.6.24-29-rt\", pkgver:\"2.6.24-29.93\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"linux-image-2.6.24-29-server\", pkgver:\"2.6.24-29.93\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"linux-image-2.6.24-29-virtual\", pkgver:\"2.6.24-29.93\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"linux-image-2.6.24-29-xen\", pkgver:\"2.6.24-29.93\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-2.6-386 / linux-image-2.6-generic / etc\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-01-11T14:35:11", "description": "It was discovered that KVM did not correctly initialize certain CPU registers. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-3698)\n\nThomas Pollet discovered that the RDS network protocol did not check certain iovec buffers. A local attacker could exploit this to crash the system or possibly execute arbitrary code as the root user.\n(CVE-2010-3865)\n\nVasiliy Kulikov discovered that the Linux kernel X.25 implementation did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy.\n(CVE-2010-3875)\n\nVasiliy Kulikov discovered that the Linux kernel sockets implementation did not properly initialize certain structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3876)\n\nVasiliy Kulikov discovered that the TIPC interface did not correctly initialize certain structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy.\n(CVE-2010-3877)\n\nNelson Elhage discovered that the Linux kernel IPv4 implementation did not properly audit certain bytecodes in netlink messages. A local attacker could exploit this to cause the kernel to hang, leading to a denial of service. (CVE-2010-3880)\n\nVasiliy Kulikov discovered that kvm did not correctly clear memory. A local attacker could exploit this to read portions of the kernel stack, leading to a loss of privacy. (CVE-2010-3881)\n\nDan Rosenberg discovered that multiple terminal ioctls did not correctly initialize structure memory. A local attacker could exploit this to read portions of kernel stack memory, leading to a loss of privacy. (CVE-2010-4075, CVE-2010-4076, CVE-2010-4077)\n\nDan Rosenberg discovered that the ivtv V4L driver did not correctly initialize certian structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy.\n(CVE-2010-4079)\n\nDan Rosenberg discovered that the semctl syscall did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4083)\n\nDan Rosenberg discovered that the SCSI subsystem did not correctly validate iov segments. A local attacker with access to a SCSI device could send specially crafted requests to crash the system, leading to a denial of service. (CVE-2010-4163, CVE-2010-4668)\n\nIt was discovered that multithreaded exec did not handle CPU timers correctly. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4248)\n\nNelson Elhage discovered that Econet did not correctly handle AUN packets over UDP. A local attacker could send specially crafted traffic to crash the system, leading to a denial of service.\n(CVE-2010-4342)\n\nTavis Ormandy discovered that the install_special_mapping function could bypass the mmap_min_addr restriction. A local attacker could exploit this to mmap 4096 bytes below the mmap_min_addr area, possibly improving the chances of performing NULL pointer dereference attacks.\n(CVE-2010-4346)\n\nDan Rosenberg discovered that the OSS subsystem did not handle name termination correctly. A local attacker could exploit this crash the system or gain root privileges. (CVE-2010-4527)\n\nDan Rosenberg discovered that IRDA did not correctly check the size of buffers. On non-x86 systems, a local attacker could exploit this to read kernel heap memory, leading to a loss of privacy. (CVE-2010-4529)\n\nDan Rosenburg discovered that the CAN subsystem leaked kernel addresses into the /proc filesystem. A local attacker could use this to increase the chances of a successful memory corruption exploit.\n(CVE-2010-4565)\n\nDan Carpenter discovered that the Infiniband driver did not correctly handle certain requests. A local user could exploit this to crash the system or potentially gain root privileges. (CVE-2010-4649, CVE-2011-1044)\n\nKees Cook discovered that the IOWarrior USB device driver did not correctly check certain size fields. A local attacker with physical access could plug in a specially crafted USB device to crash the system or potentially gain root privileges. (CVE-2010-4656)\n\nGoldwyn Rodrigues discovered that the OCFS2 filesystem did not correctly clear memory when writing certain file holes. A local attacker could exploit this to read uninitialized data from the disk, leading to a loss of privacy. (CVE-2011-0463)\n\nDan Carpenter discovered that the TTPCI DVB driver did not check certain values during an ioctl. If the dvb-ttpci module was loaded, a local attacker could exploit this to crash the system, leading to a denial of service, or possibly gain root privileges. (CVE-2011-0521)\n\nJens Kuehnel discovered that the InfiniBand driver contained a race condition. On systems using InfiniBand, a local attacker could send specially crafted requests to crash the system, leading to a denial of service. (CVE-2011-0695)\n\nDan Rosenberg discovered that XFS did not correctly initialize memory.\nA local attacker could make crafted ioctl calls to leak portions of kernel stack memory, leading to a loss of privacy. (CVE-2011-0711)\n\nRafael Dominguez Vega discovered that the caiaq Native Instruments USB driver did not correctly validate string lengths. A local attacker with physical access could plug in a specially crafted USB device to crash the system or potentially gain root privileges. (CVE-2011-0712)\n\nKees Cook reported that /proc/pid/stat did not correctly filter certain memory locations. A local attacker could determine the memory layout of processes in an attempt to increase the chances of a successful memory corruption exploit. (CVE-2011-0726)\n\nTimo Warns discovered that MAC partition parsing routines did not correctly calculate block counts. A local attacker with physical access could plug in a specially crafted block device to crash the system or potentially gain root privileges. (CVE-2011-1010)\n\nTimo Warns discovered that LDM partition parsing routines did not correctly calculate block counts. A local attacker with physical access could plug in a specially crafted block device to crash the system, leading to a denial of service. (CVE-2011-1012)\n\nMatthiew Herrb discovered that the drm modeset interface did not correctly handle a signed comparison. A local attacker could exploit this to crash the system or possibly gain root privileges.\n(CVE-2011-1013)\n\nMarek Olsak discovered that the Radeon GPU drivers did not correctly validate certain registers. On systems with specific hardware, a local attacker could exploit this to write to arbitrary video memory.\n(CVE-2011-1016)\n\nTimo Warns discovered that the LDM disk partition handling code did not correctly handle certain values. By inserting a specially crafted disk device, a local attacker could exploit this to gain root privileges. (CVE-2011-1017)\n\nVasiliy Kulikov discovered that the CAP_SYS_MODULE capability was not needed to load kernel modules. A local attacker with the CAP_NET_ADMIN capability could load existing kernel modules, possibly increasing the attack surface available on the system. (CVE-2011-1019)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly clear memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1078)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly check that device name strings were NULL terminated. A local attacker could exploit this to crash the system, leading to a denial of service, or leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1079)\n\nVasiliy Kulikov discovered that bridge network filtering did not check that name fields were NULL terminated. A local attacker could exploit this to leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1080)\n\nNelson Elhage discovered that the epoll subsystem did not correctly handle certain structures. A local attacker could create malicious requests that would hang the system, leading to a denial of service.\n(CVE-2011-1082)\n\nNeil Horman discovered that NFSv4 did not correctly handle certain orders of operation with ACL data. A remote attacker with access to an NFSv4 mount could exploit this to crash the system, leading to a denial of service. (CVE-2011-1090)\n\nJohan Hovold discovered that the DCCP network stack did not correctly handle certain packet combinations. A remote attacker could send specially crafted network traffic that would crash the system, leading to a denial of service. (CVE-2011-1093)\n\nPeter Huewe discovered that the TPM device did not correctly initialize memory. A local attacker could exploit this to read kernel heap memory contents, leading to a loss of privacy. (CVE-2011-1160)\n\nTimo Warns discovered that OSF partition parsing routines did not correctly clear memory. A local attacker with physical access could plug in a specially crafted block device to read kernel memory, leading to a loss of privacy. (CVE-2011-1163)\n\nDan Rosenberg discovered that some ALSA drivers did not correctly check the adapter index during ioctl calls. If this driver was loaded, a local attacker could make a specially crafted ioctl call to gain root privileges. (CVE-2011-1169)\n\nVasiliy Kulikov discovered that the netfilter code did not check certain strings copied from userspace. A local attacker with netfilter access could exploit this to read kernel memory or crash the system, leading to a denial of service. (CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-2534)\n\nVasiliy Kulikov discovered that the Acorn Universal Networking driver did not correctly initialize memory. A remote attacker could send specially crafted traffic to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1173)\n\nDan Rosenberg discovered that the IRDA subsystem did not correctly check certain field sizes. If a system was using IRDA, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-1180)\n\nJulien Tinnes discovered that the kernel did not correctly validate the signal structure from tkill(). A local attacker could exploit this to send signals to arbitrary threads, possibly bypassing expected restrictions. (CVE-2011-1182)\n\nRyan Sweat discovered that the GRO code did not correctly validate memory. In some configurations on systems using VLANs, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1478)\n\nDan Rosenberg discovered that MPT devices did not correctly validate certain values in ioctl calls. If these drivers were loaded, a local attacker could exploit this to read arbitrary kernel memory, leading to a loss of privacy. (CVE-2011-1494, CVE-2011-1495)\n\nTimo Warns discovered that the GUID partition parsing routines did not correctly validate certain structures. A local attacker with physical access could plug in a specially crafted block device to crash the system, leading to a denial of service. (CVE-2011-1577)\n\nTavis Ormandy discovered that the pidmap function did not correctly handle large requests. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-1593)\n\nOliver Hartkopp and Dave Jones discovered that the CAN network driver did not correctly validate certain socket structures. If this driver was loaded, a local attacker could crash the system, leading to a denial of service. (CVE-2011-1598, CVE-2011-1748)\n\nVasiliy Kulikov discovered that the AGP driver did not check certain ioctl values. A local attacker with access to the video subsystem could exploit this to crash the system, leading to a denial of service, or possibly gain root privileges. (CVE-2011-1745, CVE-2011-2022)\n\nVasiliy Kulikov discovered that the AGP driver did not check the size of certain memory allocations. A local attacker with access to the video subsystem could exploit this to run the system out of memory, leading to a denial of service. (CVE-2011-1746).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2011-08-09T00:00:00", "type": "nessus", "title": "Ubuntu 10.04 LTS : linux-lts-backport-maverick vulnerabilities (USN-1187-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3698", "CVE-2010-3865", "CVE-2010-3875", "CVE-2010-3876", "CVE-2010-3877", "CVE-2010-3880", "CVE-2010-3881", "CVE-2010-4075", "CVE-2010-4076", "CVE-2010-4077", "CVE-2010-4079", "CVE-2010-4083", "CVE-2010-4163", "CVE-2010-4248", "CVE-2010-4342", "CVE-2010-4346", "CVE-2010-4527", "CVE-2010-4529", "CVE-2010-4565", "CVE-2010-4649", "CVE-2010-4656", "CVE-2010-4668", "CVE-2011-0463", "CVE-2011-0521", "CVE-2011-0695", "CVE-2011-0711", "CVE-2011-0712", "CVE-2011-0726", "CVE-2011-1010", "CVE-2011-1012", "CVE-2011-1013", "CVE-2011-1016", "CVE-2011-1017", "CVE-2011-1019", "CVE-2011-1044", "CVE-2011-1078", "CVE-2011-1079", "CVE-2011-1080", "CVE-2011-1082", "CVE-2011-1090", "CVE-2011-1093", "CVE-2011-1160", "CVE-2011-1163", "CVE-2011-1169", "CVE-2011-1170", "CVE-2011-1171", "CVE-2011-1172", "CVE-2011-1173", "CVE-2011-1180", "CVE-2011-1182", "CVE-2011-1478", "CVE-2011-1494", "CVE-2011-1495", "CVE-2011-1577", "CVE-2011-1593", "CVE-2011-1598", "CVE-2011-1745", "CVE-2011-1746", "CVE-2011-1748", "CVE-2011-2022", "CVE-2011-2534"], "modified": "2019-09-19T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic-pae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-server", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-virtual", "cpe:/o:canonical:ubuntu_linux:10.04:-:lts"], "id": "UBUNTU_USN-1187-1.NASL", "href": "https://www.tenable.com/plugins/nessus/55785", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-1187-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(55785);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2019/09/19 12:54:27\");\n\n script_cve_id(\"CVE-2010-3698\", \"CVE-2010-3865\", \"CVE-2010-3875\", \"CVE-2010-3876\", \"CVE-2010-3877\", \"CVE-2010-3880\", \"CVE-2010-3881\", \"CVE-2010-4075\", \"CVE-2010-4076\", \"CVE-2010-4077\", \"CVE-2010-4079\", \"CVE-2010-4083\", \"CVE-2010-4163\", \"CVE-2010-4248\", \"CVE-2010-4342\", \"CVE-2010-4346\", \"CVE-2010-4527\", \"CVE-2010-4529\", \"CVE-2010-4565\", \"CVE-2010-4649\", \"CVE-2010-4656\", \"CVE-2010-4668\", \"CVE-2011-0463\", \"CVE-2011-0521\", \"CVE-2011-0695\", \"CVE-2011-0711\", \"CVE-2011-0712\", \"CVE-2011-0726\", \"CVE-2011-1010\", \"CVE-2011-1012\", \"CVE-2011-1013\", \"CVE-2011-1016\", \"CVE-2011-1017\", \"CVE-2011-1019\", \"CVE-2011-1044\", \"CVE-2011-1078\", \"CVE-2011-1079\", \"CVE-2011-1080\", \"CVE-2011-1082\", \"CVE-2011-1090\", \"CVE-2011-1093\", \"CVE-2011-1160\", \"CVE-2011-1163\", \"CVE-2011-1169\", \"CVE-2011-1170\", \"CVE-2011-1171\", \"CVE-2011-1172\", \"CVE-2011-1173\", \"CVE-2011-1180\", \"CVE-2011-1182\", \"CVE-2011-1478\", \"CVE-2011-1494\", \"CVE-2011-1495\", \"CVE-2011-1577\", \"CVE-2011-1593\", \"CVE-2011-1598\", \"CVE-2011-1745\", \"CVE-2011-1746\", \"CVE-2011-1748\", \"CVE-2011-2022\", \"CVE-2011-2534\");\n script_bugtraq_id(43806, 43809, 44500, 44549, 44630, 44661, 44665, 44666, 44793, 45028, 45059, 45062, 45321, 45323, 45556, 45629, 45660, 45986, 46069, 46073, 46417, 46419, 46488, 46492, 46512, 46557, 46616, 46630, 46766, 46839, 47116, 47639, 47791, 47792);\n script_xref(name:\"USN\", value:\"1187-1\");\n\n script_name(english:\"Ubuntu 10.04 LTS : linux-lts-backport-maverick vulnerabilities (USN-1187-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that KVM did not correctly initialize certain CPU\nregisters. A local attacker could exploit this to crash the system,\nleading to a denial of service. (CVE-2010-3698)\n\nThomas Pollet discovered that the RDS network protocol did not check\ncertain iovec buffers. A local attacker could exploit this to crash\nthe system or possibly execute arbitrary code as the root user.\n(CVE-2010-3865)\n\nVasiliy Kulikov discovered that the Linux kernel X.25 implementation\ndid not correctly clear kernel memory. A local attacker could exploit\nthis to read kernel stack memory, leading to a loss of privacy.\n(CVE-2010-3875)\n\nVasiliy Kulikov discovered that the Linux kernel sockets\nimplementation did not properly initialize certain structures. A local\nattacker could exploit this to read kernel stack memory, leading to a\nloss of privacy. (CVE-2010-3876)\n\nVasiliy Kulikov discovered that the TIPC interface did not correctly\ninitialize certain structures. A local attacker could exploit this to\nread kernel stack memory, leading to a loss of privacy.\n(CVE-2010-3877)\n\nNelson Elhage discovered that the Linux kernel IPv4 implementation did\nnot properly audit certain bytecodes in netlink messages. A local\nattacker could exploit this to cause the kernel to hang, leading to a\ndenial of service. (CVE-2010-3880)\n\nVasiliy Kulikov discovered that kvm did not correctly clear memory. A\nlocal attacker could exploit this to read portions of the kernel\nstack, leading to a loss of privacy. (CVE-2010-3881)\n\nDan Rosenberg discovered that multiple terminal ioctls did not\ncorrectly initialize structure memory. A local attacker could exploit\nthis to read portions of kernel stack memory, leading to a loss of\nprivacy. (CVE-2010-4075, CVE-2010-4076, CVE-2010-4077)\n\nDan Rosenberg discovered that the ivtv V4L driver did not correctly\ninitialize certian structures. A local attacker could exploit this to\nread kernel stack memory, leading to a loss of privacy.\n(CVE-2010-4079)\n\nDan Rosenberg discovered that the semctl syscall did not correctly\nclear kernel memory. A local attacker could exploit this to read\nkernel stack memory, leading to a loss of privacy. (CVE-2010-4083)\n\nDan Rosenberg discovered that the SCSI subsystem did not correctly\nvalidate iov segments. A local attacker with access to a SCSI device\ncould send specially crafted requests to crash the system, leading to\na denial of service. (CVE-2010-4163, CVE-2010-4668)\n\nIt was discovered that multithreaded exec did not handle CPU timers\ncorrectly. A local attacker could exploit this to crash the system,\nleading to a denial of service. (CVE-2010-4248)\n\nNelson Elhage discovered that Econet did not correctly handle AUN\npackets over UDP. A local attacker could send specially crafted\ntraffic to crash the system, leading to a denial of service.\n(CVE-2010-4342)\n\nTavis Ormandy discovered that the install_special_mapping function\ncould bypass the mmap_min_addr restriction. A local attacker could\nexploit this to mmap 4096 bytes below the mmap_min_addr area, possibly\nimproving the chances of performing NULL pointer dereference attacks.\n(CVE-2010-4346)\n\nDan Rosenberg discovered that the OSS subsystem did not handle name\ntermination correctly. A local attacker could exploit this crash the\nsystem or gain root privileges. (CVE-2010-4527)\n\nDan Rosenberg discovered that IRDA did not correctly check the size of\nbuffers. On non-x86 systems, a local attacker could exploit this to\nread kernel heap memory, leading to a loss of privacy. (CVE-2010-4529)\n\nDan Rosenburg discovered that the CAN subsystem leaked kernel\naddresses into the /proc filesystem. A local attacker could use this\nto increase the chances of a successful memory corruption exploit.\n(CVE-2010-4565)\n\nDan Carpenter discovered that the Infiniband driver did not correctly\nhandle certain requests. A local user could exploit this to crash the\nsystem or potentially gain root privileges. (CVE-2010-4649,\nCVE-2011-1044)\n\nKees Cook discovered that the IOWarrior USB device driver did not\ncorrectly check certain size fields. A local attacker with physical\naccess could plug in a specially crafted USB device to crash the\nsystem or potentially gain root privileges. (CVE-2010-4656)\n\nGoldwyn Rodrigues discovered that the OCFS2 filesystem did not\ncorrectly clear memory when writing certain file holes. A local\nattacker could exploit this to read uninitialized data from the disk,\nleading to a loss of privacy. (CVE-2011-0463)\n\nDan Carpenter discovered that the TTPCI DVB driver did not check\ncertain values during an ioctl. If the dvb-ttpci module was loaded, a\nlocal attacker could exploit this to crash the system, leading to a\ndenial of service, or possibly gain root privileges. (CVE-2011-0521)\n\nJens Kuehnel discovered that the InfiniBand driver contained a race\ncondition. On systems using InfiniBand, a local attacker could send\nspecially crafted requests to crash the system, leading to a denial of\nservice. (CVE-2011-0695)\n\nDan Rosenberg discovered that XFS did not correctly initialize memory.\nA local attacker could make crafted ioctl calls to leak portions of\nkernel stack memory, leading to a loss of privacy. (CVE-2011-0711)\n\nRafael Dominguez Vega discovered that the caiaq Native Instruments USB\ndriver did not correctly validate string lengths. A local attacker\nwith physical access could plug in a specially crafted USB device to\ncrash the system or potentially gain root privileges. (CVE-2011-0712)\n\nKees Cook reported that /proc/pid/stat did not correctly filter\ncertain memory locations. A local attacker could determine the memory\nlayout of processes in an attempt to increase the chances of a\nsuccessful memory corruption exploit. (CVE-2011-0726)\n\nTimo Warns discovered that MAC partition parsing routines did not\ncorrectly calculate block counts. A local attacker with physical\naccess could plug in a specially crafted block device to crash the\nsystem or potentially gain root privileges. (CVE-2011-1010)\n\nTimo Warns discovered that LDM partition parsing routines did not\ncorrectly calculate block counts. A local attacker with physical\naccess could plug in a specially crafted block device to crash the\nsystem, leading to a denial of service. (CVE-2011-1012)\n\nMatthiew Herrb discovered that the drm modeset interface did not\ncorrectly handle a signed comparison. A local attacker could exploit\nthis to crash the system or possibly gain root privileges.\n(CVE-2011-1013)\n\nMarek Olsak discovered that the Radeon GPU drivers did not correctly\nvalidate certain registers. On systems with specific hardware, a local\nattacker could exploit this to write to arbitrary video memory.\n(CVE-2011-1016)\n\nTimo Warns discovered that the LDM disk partition handling code did\nnot correctly handle certain values. By inserting a specially crafted\ndisk device, a local attacker could exploit this to gain root\nprivileges. (CVE-2011-1017)\n\nVasiliy Kulikov discovered that the CAP_SYS_MODULE capability was not\nneeded to load kernel modules. A local attacker with the CAP_NET_ADMIN\ncapability could load existing kernel modules, possibly increasing the\nattack surface available on the system. (CVE-2011-1019)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly\nclear memory. A local attacker could exploit this to read kernel stack\nmemory, leading to a loss of privacy. (CVE-2011-1078)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly\ncheck that device name strings were NULL terminated. A local attacker\ncould exploit this to crash the system, leading to a denial of\nservice, or leak contents of kernel stack memory, leading to a loss of\nprivacy. (CVE-2011-1079)\n\nVasiliy Kulikov discovered that bridge network filtering did not check\nthat name fields were NULL terminated. A local attacker could exploit\nthis to leak contents of kernel stack memory, leading to a loss of\nprivacy. (CVE-2011-1080)\n\nNelson Elhage discovered that the epoll subsystem did not correctly\nhandle certain structures. A local attacker could create malicious\nrequests that would hang the system, leading to a denial of service.\n(CVE-2011-1082)\n\nNeil Horman discovered that NFSv4 did not correctly handle certain\norders of operation with ACL data. A remote attacker with access to an\nNFSv4 mount could exploit this to crash the system, leading to a\ndenial of service. (CVE-2011-1090)\n\nJohan Hovold discovered that the DCCP network stack did not correctly\nhandle certain packet combinations. A remote attacker could send\nspecially crafted network traffic that would crash the system, leading\nto a denial of service. (CVE-2011-1093)\n\nPeter Huewe discovered that the TPM device did not correctly\ninitialize memory. A local attacker could exploit this to read kernel\nheap memory contents, leading to a loss of privacy. (CVE-2011-1160)\n\nTimo Warns discovered that OSF partition parsing routines did not\ncorrectly clear memory. A local attacker with physical access could\nplug in a specially crafted block device to read kernel memory,\nleading to a loss of privacy. (CVE-2011-1163)\n\nDan Rosenberg discovered that some ALSA drivers did not correctly\ncheck the adapter index during ioctl calls. If this driver was loaded,\na local attacker could make a specially crafted ioctl call to gain\nroot privileges. (CVE-2011-1169)\n\nVasiliy Kulikov discovered that the netfilter code did not check\ncertain strings copied from userspace. A local attacker with netfilter\naccess could exploit this to read kernel memory or crash the system,\nleading to a denial of service. (CVE-2011-1170, CVE-2011-1171,\nCVE-2011-1172, CVE-2011-2534)\n\nVasiliy Kulikov discovered that the Acorn Universal Networking driver\ndid not correctly initialize memory. A remote attacker could send\nspecially crafted traffic to read kernel stack memory, leading to a\nloss of privacy. (CVE-2011-1173)\n\nDan Rosenberg discovered that the IRDA subsystem did not correctly\ncheck certain field sizes. If a system was using IRDA, a remote\nattacker could send specially crafted traffic to crash the system or\ngain root privileges. (CVE-2011-1180)\n\nJulien Tinnes discovered that the kernel did not correctly validate\nthe signal structure from tkill(). A local attacker could exploit this\nto send signals to arbitrary threads, possibly bypassing expected\nrestrictions. (CVE-2011-1182)\n\nRyan Sweat discovered that the GRO code did not correctly validate\nmemory. In some configurations on systems using VLANs, a remote\nattacker could send specially crafted traffic to crash the system,\nleading to a denial of service. (CVE-2011-1478)\n\nDan Rosenberg discovered that MPT devices did not correctly validate\ncertain values in ioctl calls. If these drivers were loaded, a local\nattacker could exploit this to read arbitrary kernel memory, leading\nto a loss of privacy. (CVE-2011-1494, CVE-2011-1495)\n\nTimo Warns discovered that the GUID partition parsing routines did not\ncorrectly validate certain structures. A local attacker with physical\naccess could plug in a specially crafted block device to crash the\nsystem, leading to a denial of service. (CVE-2011-1577)\n\nTavis Ormandy discovered that the pidmap function did not correctly\nhandle large requests. A local attacker could exploit this to crash\nthe system, leading to a denial of service. (CVE-2011-1593)\n\nOliver Hartkopp and Dave Jones discovered that the CAN network driver\ndid not correctly validate certain socket structures. If this driver\nwas loaded, a local attacker could crash the system, leading to a\ndenial of service. (CVE-2011-1598, CVE-2011-1748)\n\nVasiliy Kulikov discovered that the AGP driver did not check certain\nioctl values. A local attacker with access to the video subsystem\ncould exploit this to crash the system, leading to a denial of\nservice, or possibly gain root privileges. (CVE-2011-1745,\nCVE-2011-2022)\n\nVasiliy Kulikov discovered that the AGP driver did not check the size\nof certain memory allocations. A local attacker with access to the\nvideo subsystem could exploit this to run the system out of memory,\nleading to a denial of service. (CVE-2011-1746).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/1187-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:10.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/11/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/08/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/08/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(10\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 10.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2010-3698\", \"CVE-2010-3865\", \"CVE-2010-3875\", \"CVE-2010-3876\", \"CVE-2010-3877\", \"CVE-2010-3880\", \"CVE-2010-3881\", \"CVE-2010-4075\", \"CVE-2010-4076\", \"CVE-2010-4077\", \"CVE-2010-4079\", \"CVE-2010-4083\", \"CVE-2010-4163\", \"CVE-2010-4248\", \"CVE-2010-4342\", \"CVE-2010-4346\", \"CVE-2010-4527\", \"CVE-2010-4529\", \"CVE-2010-4565\", \"CVE-2010-4649\", \"CVE-2010-4656\", \"CVE-2010-4668\", \"CVE-2011-0463\", \"CVE-2011-0521\", \"CVE-2011-0695\", \"CVE-2011-0711\", \"CVE-2011-0712\", \"CVE-2011-0726\", \"CVE-2011-1010\", \"CVE-2011-1012\", \"CVE-2011-1013\", \"CVE-2011-1016\", \"CVE-2011-1017\", \"CVE-2011-1019\", \"CVE-2011-1044\", \"CVE-2011-1078\", \"CVE-2011-1079\", \"CVE-2011-1080\", \"CVE-2011-1082\", \"CVE-2011-1090\", \"CVE-2011-1093\", \"CVE-2011-1160\", \"CVE-2011-1163\", \"CVE-2011-1169\", \"CVE-2011-1170\", \"CVE-2011-1171\", \"CVE-2011-1172\", \"CVE-2011-1173\", \"CVE-2011-1180\", \"CVE-2011-1182\", \"CVE-2011-1478\", \"CVE-2011-1494\", \"CVE-2011-1495\", \"CVE-2011-1577\", \"CVE-2011-1593\", \"CVE-2011-1598\", \"CVE-2011-1745\", \"CVE-2011-1746\", \"CVE-2011-1748\", \"CVE-2011-2022\", \"CVE-2011-2534\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-1187-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-image-2.6.35-30-generic\", pkgver:\"2.6.35-30.56~lucid1\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-image-2.6.35-30-generic-pae\", pkgver:\"2.6.35-30.56~lucid1\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-image-2.6.35-30-server\", pkgver:\"2.6.35-30.56~lucid1\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-image-2.6.35-30-virtual\", pkgver:\"2.6.35-30.56~lucid1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-2.6-generic / linux-image-2.6-generic-pae / etc\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-01-18T14:26:37", "description": "Update to kernel 2.6.34.9 :\n\nhttp://ftp.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.34/ChangeLog\n-2.6.34.9\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2011-06-22T00:00:00", "type": "nessus", "title": "Fedora 13 : kernel-2.6.34.9-69.fc13 (2011-6447)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3079", "CVE-2010-3084", "CVE-2010-4527", "CVE-2011-1013", "CVE-2011-1079", "CVE-2011-1093", "CVE-2011-1182", "CVE-2011-1494", "CVE-2011-1495", "CVE-2011-1745", "CVE-2011-1746", "CVE-2011-2022"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:kernel", "cpe:/o:fedoraproject:fedora:13"], "id": "FEDORA_2011-6447.NASL", "href": "https://www.tenable.com/plugins/nessus/55386", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2011-6447.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(55386);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2010-3079\", \"CVE-2010-3084\", \"CVE-2010-4527\", \"CVE-2011-1013\", \"CVE-2011-1079\", \"CVE-2011-1093\", \"CVE-2011-1182\", \"CVE-2011-1494\", \"CVE-2011-1495\", \"CVE-2011-1745\", \"CVE-2011-1746\", \"CVE-2011-2022\");\n script_bugtraq_id(43098, 43684, 45629, 46616, 46793, 47003, 47185, 47534, 47535, 47639, 47843);\n script_xref(name:\"FEDORA\", value:\"2011-6447\");\n\n script_name(english:\"Fedora 13 : kernel-2.6.34.9-69.fc13 (2011-6447)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to kernel 2.6.34.9 :\n\nhttp://ftp.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.34/ChangeLog\n-2.6.34.9\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # http://ftp.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.34/ChangeLog-2.6.34.9\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?bb8ea742\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=631623\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=632069\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=667615\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=679925\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=681260\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=682954\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=690028\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=694021\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=698996\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=698998\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2011-June/061668.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4243c7fa\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:13\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/05/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/06/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^13([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 13.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC13\", reference:\"kernel-2.6.34.9-69.fc13\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-01-11T14:26:28", "description": "It was discovered that KVM did not correctly initialize certain CPU registers. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-3698)\n\nThomas Pollet discovered that the RDS network protocol did not check certain iovec buffers. A local attacker could exploit this to crash the system or possibly execute arbitrary code as the root user.\n(CVE-2010-3865)\n\nVasiliy Kulikov discovered that the Linux kernel X.25 implementation did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy.\n(CVE-2010-3875)\n\nVasiliy Kulikov discovered that the Linux kernel sockets implementation did not properly initialize certain structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3876)\n\nVasiliy Kulikov discovered that the TIPC interface did not correctly initialize certain structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy.\n(CVE-2010-3877)\n\nNelson Elhage discovered that the Linux kernel IPv4 implementation did not properly audit certain bytecodes in netlink messages. A local attacker could exploit this to cause the kernel to hang, leading to a denial of service. (CVE-2010-3880)\n\nDan Rosenberg discovered that the ivtv V4L driver did not correctly initialize certian structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy.\n(CVE-2010-4079)\n\nDan Rosenberg discovered that the semctl syscall did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4083)\n\nIt was discovered that multithreaded exec did not handle CPU timers correctly. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4248)\n\nVegard Nossum discovered a leak in the kernel's inotify_init() system call. A local, unprivileged user could exploit this to cause a denial of service. (CVE-2010-4250)\n\nNelson Elhage discovered that Econet did not correctly handle AUN packets over UDP. A local attacker could send specially crafted traffic to crash the system, leading to a denial of service.\n(CVE-2010-4342)\n\nTavis Ormandy discovered that the install_special_mapping function could bypass the mmap_min_addr restriction. A local attacker could exploit this to mmap 4096 bytes below the mmap_min_addr area, possibly improving the chances of performing NULL pointer dereference attacks.\n(CVE-2010-4346)\n\nDan Rosenberg discovered that the OSS subsystem did not handle name termination correctly. A local attacker could exploit this crash the system or gain root privileges. (CVE-2010-4527)\n\nAn error was reported in the kernel's ORiNOCO wireless driver's handling of TKIP countermeasures. This reduces the amount of time an attacker needs breach a wireless network using WPA+TKIP for security.\n(CVE-2010-4648)\n\nDan Carpenter discovered that the Infiniband driver did not correctly handle certain requests. A local user could exploit this to crash the system or potentially gain root privileges. (CVE-2010-4649, CVE-2011-1044)\n\nAn error was discovered in the kernel's handling of CUSE (Character device in Userspace). A local attacker might exploit this flaw to escalate privilege, if access to /dev/cuse has been modified to allow non-root users. (CVE-2010-4650)\n\nA flaw was found in the kernel's Integrity Measurement Architecture (IMA). Changes made by an attacker might not be discovered by IMA, if SELinux was disabled, and a new IMA rule was loaded. (CVE-2011-0006)\n\nIt was discovered that some import kernel threads can be blocked by a user level process. An unprivileged local user could exploit this flaw to cause a denial of service. (CVE-2011-4621).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2011-03-02T00:00:00", "type": "nessus", "title": "Ubuntu 10.10 : linux vulnerabilities (USN-1081-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3698", "CVE-2010-3865", "CVE-2010-3875", "CVE-2010-3876", "CVE-2010-3877", "CVE-2010-3880", "CVE-2010-4079", "CVE-2010-4083", "CVE-2010-4248", "CVE-2010-4250", "CVE-2010-4342", "CVE-2010-4346", "CVE-2010-4527", "CVE-2010-4648", "CVE-2010-4649", "CVE-2010-4650", "CVE-2011-0006", "CVE-2011-1044", "CVE-2011-4621"], "modified": "2019-09-19T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-doc", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-generic-pae", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-server", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-virtual", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic-pae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-server", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-versatile", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-virtual", "p-cpe:/a:canonical:ubuntu_linux:linux-libc-dev", "p-cpe:/a:canonical:ubuntu_linux:linux-source-2.6.35", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-2.6", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-common", "cpe:/o:canonical:ubuntu_linux:10.10"], "id": "UBUNTU_USN-1081-1.NASL", "href": "https://www.tenable.com/plugins/nessus/52500", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-1081-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(52500);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2019/09/19 12:54:26\");\n\n script_cve_id(\"CVE-2010-3698\", \"CVE-2010-3865\", \"CVE-2010-3875\", \"CVE-2010-3876\", \"CVE-2010-3877\", \"CVE-2010-3880\", \"CVE-2010-4079\", \"CVE-2010-4083\", \"CVE-2010-4248\", \"CVE-2010-4250\", \"CVE-2010-4342\", \"CVE-2010-4346\", \"CVE-2010-4527\", \"CVE-2010-4648\", \"CVE-2010-4649\", \"CVE-2010-4650\", \"CVE-2011-0006\", \"CVE-2011-1044\", \"CVE-2011-4621\");\n script_bugtraq_id(44549, 44630, 44665, 45028, 45062, 45321, 45323, 45629, 46073, 46488);\n script_xref(name:\"USN\", value:\"1081-1\");\n\n script_name(english:\"Ubuntu 10.10 : linux vulnerabilities (USN-1081-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that KVM did not correctly initialize certain CPU\nregisters. A local attacker could exploit this to crash the system,\nleading to a denial of service. (CVE-2010-3698)\n\nThomas Pollet discovered that the RDS network protocol did not check\ncertain iovec buffers. A local attacker could exploit this to crash\nthe system or possibly execute arbitrary code as the root user.\n(CVE-2010-3865)\n\nVasiliy Kulikov discovered that the Linux kernel X.25 implementation\ndid not correctly clear kernel memory. A local attacker could exploit\nthis to read kernel stack memory, leading to a loss of privacy.\n(CVE-2010-3875)\n\nVasiliy Kulikov discovered that the Linux kernel sockets\nimplementation did not properly initialize certain structures. A local\nattacker could exploit this to read kernel stack memory, leading to a\nloss of privacy. (CVE-2010-3876)\n\nVasiliy Kulikov discovered that the TIPC interface did not correctly\ninitialize certain structures. A local attacker could exploit this to\nread kernel stack memory, leading to a loss of privacy.\n(CVE-2010-3877)\n\nNelson Elhage discovered that the Linux kernel IPv4 implementation did\nnot properly audit certain bytecodes in netlink messages. A local\nattacker could exploit this to cause the kernel to hang, leading to a\ndenial of service. (CVE-2010-3880)\n\nDan Rosenberg discovered that the ivtv V4L driver did not correctly\ninitialize certian structures. A local attacker could exploit this to\nread kernel stack memory, leading to a loss of privacy.\n(CVE-2010-4079)\n\nDan Rosenberg discovered that the semctl syscall did not correctly\nclear kernel memory. A local attacker could exploit this to read\nkernel stack memory, leading to a loss of privacy. (CVE-2010-4083)\n\nIt was discovered that multithreaded exec did not handle CPU timers\ncorrectly. A local attacker could exploit this to crash the system,\nleading to a denial of service. (CVE-2010-4248)\n\nVegard Nossum discovered a leak in the kernel's inotify_init() system\ncall. A local, unprivileged user could exploit this to cause a denial\nof service. (CVE-2010-4250)\n\nNelson Elhage discovered that Econet did not correctly handle AUN\npackets over UDP. A local attacker could send specially crafted\ntraffic to crash the system, leading to a denial of service.\n(CVE-2010-4342)\n\nTavis Ormandy discovered that the install_special_mapping function\ncould bypass the mmap_min_addr restriction. A local attacker could\nexploit this to mmap 4096 bytes below the mmap_min_addr area, possibly\nimproving the chances of performing NULL pointer dereference attacks.\n(CVE-2010-4346)\n\nDan Rosenberg discovered that the OSS subsystem did not handle name\ntermination correctly. A local attacker could exploit this crash the\nsystem or gain root privileges. (CVE-2010-4527)\n\nAn error was reported in the kernel's ORiNOCO wireless driver's\nhandling of TKIP countermeasures. This reduces the amount of time an\nattacker needs breach a wireless network using WPA+TKIP for security.\n(CVE-2010-4648)\n\nDan Carpenter discovered that the Infiniband driver did not correctly\nhandle certain requests. A local user could exploit this to crash the\nsystem or potentially gain root privileges. (CVE-2010-4649,\nCVE-2011-1044)\n\nAn error was discovered in the kernel's handling of CUSE (Character\ndevice in Userspace). A local attacker might exploit this flaw to\nescalate privilege, if access to /dev/cuse has been modified to allow\nnon-root users. (CVE-2010-4650)\n\nA flaw was found in the kernel's Integrity Measurement Architecture\n(IMA). Changes made by an attacker might not be discovered by IMA, if\nSELinux was disabled, and a new IMA rule was loaded. (CVE-2011-0006)\n\nIt was discovered that some import kernel threads can be blocked by a\nuser level process. An unprivileged local user could exploit this flaw\nto cause a denial of service. (CVE-2011-4621).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/1081-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-generic-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-versatile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-libc-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-source-2.6.35\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-2.6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-common\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:10.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/11/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/03/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/03/02\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(10\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 10.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2010-3698\", \"CVE-2010-3865\", \"CVE-2010-3875\", \"CVE-2010-3876\", \"CVE-2010-3877\", \"CVE-2010-3880\", \"CVE-2010-4079\", \"CVE-2010-4083\", \"CVE-2010-4248\", \"CVE-2010-4250\", \"CVE-2010-4342\", \"CVE-2010-4346\", \"CVE-2010-4527\", \"CVE-2010-4648\", \"CVE-2010-4649\", \"CVE-2010-4650\", \"CVE-2011-0006\", \"CVE-2011-1044\", \"CVE-2011-4621\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-1081-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-doc\", pkgver:\"2.6.35-27.48\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-headers-2.6.35-27\", pkgver:\"2.6.35-27.48\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-headers-2.6.35-27-generic\", pkgver:\"2.6.35-27.48\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-headers-2.6.35-27-generic-pae\", pkgver:\"2.6.35-27.48\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-headers-2.6.35-27-server\", pkgver:\"2.6.35-27.48\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-headers-2.6.35-27-virtual\", pkgver:\"2.6.35-27.48\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-image-2.6.35-27-generic\", pkgver:\"2.6.35-27.48\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-image-2.6.35-27-generic-pae\", pkgver:\"2.6.35-27.48\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-image-2.6.35-27-server\", pkgver:\"2.6.35-27.48\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-image-2.6.35-27-versatile\", pkgver:\"2.6.35-27.48\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-image-2.6.35-27-virtual\", pkgver:\"2.6.35-27.48\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-libc-dev\", pkgver:\"2.6.35-1027.48\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-source-2.6.35\", pkgver:\"2.6.35-27.48\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-tools-2.6.35-27\", pkgver:\"2.6.35-27.48\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-tools-common\", pkgver:\"2.6.35-27.48\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-doc / linux-headers-2.6 / linux-headers-2.6-generic / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-17T14:22:57", "description": "Brad Spengler discovered that the kernel did not correctly account for userspace memory allocations during exec() calls. A local attacker could exploit this to consume all system memory, leading to a denial of service. (CVE-2010-4243)\n\nAlexander Duyck discovered that the Intel Gigabit Ethernet driver did not correctly handle certain configurations. If such a device was configured without VLANs, a remote attacker could crash the system, leading to a denial of service. (CVE-2010-4263)\n\nNelson Elhage discovered that Econet did not correctly handle AUN packets over UDP. A local attacker could send specially crafted traffic to crash the system, leading to a denial of service.\n(CVE-2010-4342)\n\nDan Rosenberg discovered that IRDA did not correctly check the size of buffers. On non-x86 systems, a local attacker could exploit this to read kernel heap memory, leading to a loss of privacy. (CVE-2010-4529)\n\nDan Rosenburg discovered that the CAN subsystem leaked kernel addresses into the /proc filesystem. A local attacker could use this to increase the chances of a successful memory corruption exploit.\n(CVE-2010-4565)\n\nGoldwyn Rodrigues discovered that the OCFS2 filesystem did not correctly clear memory when writing certain file holes. A local attacker could exploit this to read uninitialized data from the disk, leading to a loss of privacy. (CVE-2011-0463)\n\nJens Kuehnel discovered that the InfiniBand driver contained a race condition. On systems using InfiniBand, a local attacker could send specially crafted requests to crash the system, leading to a denial of service. (CVE-2011-0695)\n\nDan Rosenberg discovered that XFS did not correctly initialize memory.\nA local attacker could make crafted ioctl calls to leak portions of kernel stack memory, leading to a loss of privacy. (CVE-2011-0711)\n\nKees Cook reported that /proc/pid/stat did not correctly filter certain memory locations. A local attacker could determine the memory layout of processes in an attempt to increase the chances of a successful memory corruption exploit. (CVE-2011-0726)\n\nMatthiew Herrb discovered that the drm modeset interface did not correctly handle a signed comparison. A local attacker could exploit this to crash the system or possibly gain root privileges.\n(CVE-2011-1013)\n\nMarek Olsak discovered that the Radeon GPU drivers did not correctly validate certain registers. On systems with specific hardware, a local attacker could exploit this to write to arbitrary video memory.\n(CVE-2011-1016)\n\nTimo Warns discovered that the LDM disk partition handling code did not correctly handle certain values. By inserting a specially crafted disk device, a local attacker could exploit this to gain root privileges. (CVE-2011-1017)\n\nVasiliy Kulikov discovered that the CAP_SYS_MODULE capability was not needed to load kernel modules. A local attacker with the CAP_NET_ADMIN capability could load existing kernel modules, possibly increasing the attack surface available on the system. (CVE-2011-1019)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly clear memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1078)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly check that device name strings were NULL terminated. A local attacker could exploit this to crash the system, leading to a denial of service, or leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1079)\n\nVasiliy Kulikov discovered that bridge network filtering did not check that name fields were NULL terminated. A local attacker could exploit this to leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1080)\n\nNeil Horman discovered that NFSv4 did not correctly handle certain orders of operation with ACL data. A remote attacker with access to an NFSv4 mount could exploit this to crash the system, leading to a denial of service. (CVE-2011-1090)\n\nPeter Huewe discovered that the TPM device did not correctly initialize memory. A local attacker could exploit this to read kernel heap memory contents, leading to a loss of privacy. (CVE-2011-1160)\n\nTimo Warns discovered that OSF partition parsing routines did not correctly clear memory. A local attacker with physical access could plug in a specially crafted block device to read kernel memory, leading to a loss of privacy. (CVE-2011-1163)\n\nVasiliy Kulikov discovered that the netfilter code did not check certain strings copied from userspace. A local attacker with netfilter access could exploit this to read kernel memory or crash the system, leading to a denial of service. (CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-2534)\n\nVasiliy Kulikov discovered that the Acorn Universal Networking driver did not correctly initialize memory. A remote attacker could send specially crafted traffic to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1173)\n\nDan Rosenberg discovered that the IRDA subsystem did not correctly check certain field sizes. If a system was using IRDA, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-1180)\n\nJulien Tinnes discovered that the kernel did not correctly validate the signal structure from tkill(). A local attacker could exploit this to send signals to arbitrary threads, possibly bypassing expected restrictions. (CVE-2011-1182)\n\nDan Rosenberg reported errors in the OSS (Open Sound System) MIDI interface. A local attacker on non-x86 systems might be able to cause a denial of service. (CVE-2011-1476)\n\nDan Rosenberg reported errors in the kernel's OSS (Open Sound System) driver for Yamaha FM synthesizer chips. A local user can exploit this to cause memory corruption, causing a denial of service or privilege escalation. (CVE-2011-1477)\n\nRyan Sweat discovered that the GRO code did not correctly validate memory. In some configurations on systems using VLANs, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1478)\n\nDan Rosenberg discovered that MPT devices did not correctly validate certain values in ioctl calls. If these drivers were loaded, a local attacker could exploit this to read arbitrary kernel memory, leading to a loss of privacy. (CVE-2011-1494, CVE-2011-1495)\n\nIt was discovered that the Stream Control Transmission Protocol (SCTP) implementation incorrectly calculated lengths. If the net.sctp.addip_enable variable was turned on, a remote attacker could send specially crafted traffic to crash the system. (CVE-2011-1573)\n\nTavis Ormandy discovered that the pidmap function did not correctly handle large requests. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-1593)\n\nOliver Hartkopp and Dave Jones discovered that the CAN network driver did not correctly validate certain socket structures. If this driver was loaded, a local attacker could crash the system, leading to a denial of service. (CVE-2011-1598, CVE-2011-1748)\n\nVasiliy Kulikov discovered that the AGP driver did not check certain ioctl values. A local attacker with access to the video subsystem could exploit this to crash the system, leading to a denial of service, or possibly gain root privileges. (CVE-2011-1745, CVE-2011-2022)\n\nVasiliy Kulikov discovered that the AGP driver did not check the size of certain memory allocations. A local attacker with access to the video subsystem could exploit this to run the system out of memory, leading to a denial of service. (CVE-2011-1746)\n\nDan Rosenberg reported an error in the old ABI compatibility layer of ARM kernels. A local attacker could exploit this flaw to cause a denial of service or gain root privileges. (CVE-2011-1759)\n\nDan Rosenberg discovered that the DCCP stack did not correctly handle certain packet structures. A remote attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-1770)\n\nTimo Warns discovered that the EFI GUID partition table was not correctly parsed. A physically local attacker that could insert mountable devices could exploit this to crash the system or possibly gain root privileges. (CVE-2011-1776)\n\nA flaw was found in the b43 driver in the Linux kernel. An attacker could use this flaw to cause a denial of service if the system has an active wireless interface using the b43 driver. (CVE-2011-3359)\n\nYogesh Sharma discovered that CIFS did not correctly handle UNCs that had no prefixpaths. A local attacker with access to a CIFS partition could exploit this to crash the system, leading to a denial of service. (CVE-2011-3363)\n\nMaynard Johnson discovered that on POWER7, certain speculative events may raise a performance monitor exception. A local attacker could exploit this to crash the system, leading to a denial of service.\n(CVE-2011-4611)\n\nDan Rosenberg discovered flaws in the linux Rose (X.25 PLP) layer used by amateur radio. A local user or a remote user on an X.25 network could exploit these flaws to execute arbitrary code as root.\n(CVE-2011-4913).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2011-07-14T00:00:00", "type": "nessus", "title": "Ubuntu 10.10 : linux-mvl-dove vulnerabilities (USN-1159-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 5.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.9, "vectorString": "AV:A/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4243", "CVE-2010-4263", "CVE-2010-4342", "CVE-2010-4529", "CVE-2010-4565", "CVE-2011-0463", "CVE-2011-0695", "CVE-2011-0711", "CVE-2011-0726", "CVE-2011-1013", "CVE-2011-1016", "CVE-2011-1017", "CVE-2011-1019", "CVE-2011-1078", "CVE-2011-1079", "CVE-2011-1080", "CVE-2011-1090", "CVE-2011-1160", "CVE-2011-1163", "CVE-2011-1170", "CVE-2011-1171", "CVE-2011-1172", "CVE-2011-1173", "CVE-2011-1180", "CVE-2011-1182", "CVE-2011-1476", "CVE-2011-1477", "CVE-2011-1478", "CVE-2011-1494", "CVE-2011-1495", "CVE-2011-1573", "CVE-2011-1593", "CVE-2011-1598", "CVE-2011-1745", "CVE-2011-1746", "CVE-2011-1747", "CVE-2011-1748", "CVE-2011-1759", "CVE-2011-1770", "CVE-2011-1776", "CVE-2011-2022", "CVE-2011-2534", "CVE-2011-3359", "CVE-2011-3363", "CVE-2011-4611", "CVE-2011-4913"], "modified": "2016-05-26T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:10.10"], "id": "UBUNTU_USN-1159-1.NASL", "href": "https://www.tenable.com/plugins/nessus/55589", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-1159-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(55589);\n script_version(\"$Revision: 1.5 $\");\n script_cvs_date(\"$Date: 2016/05/26 16:14:08 $\");\n\n script_cve_id(\"CVE-2010-4243\", \"CVE-2010-4263\", \"CVE-2010-4342\", \"CVE-2010-4529\", \"CVE-2010-4565\", \"CVE-2011-0463\", \"CVE-2011-0695\", \"CVE-2011-0711\", \"CVE-2011-0726\", \"CVE-2011-1013\", \"CVE-2011-1016\", \"CVE-2011-1017\", \"CVE-2011-1019\", \"CVE-2011-1078\", \"CVE-2011-1079\", \"CVE-2011-1080\", \"CVE-2011-1090\", \"CVE-2011-1160\", \"CVE-2011-1163\", \"CVE-2011-1170\", \"CVE-2011-1171\", \"CVE-2011-1172\", \"CVE-2011-1173\", \"CVE-2011-1180\", \"CVE-2011-1182\", \"CVE-2011-1476\", \"CVE-2011-1477\", \"CVE-2011-1478\", \"CVE-2011-1494\", \"CVE-2011-1495\", \"CVE-2011-1573\", \"CVE-2011-1593\", \"CVE-2011-1598\", \"CVE-2011-1745\", \"CVE-2011-1746\", \"CVE-2011-1747\", \"CVE-2011-1748\", \"CVE-2011-1759\", \"CVE-2011-1770\", \"CVE-2011-1776\", \"CVE-2011-2022\", \"CVE-2011-2534\", \"CVE-2011-3359\", \"CVE-2011-3363\", \"CVE-2011-4611\", \"CVE-2011-4913\");\n script_bugtraq_id(44661, 44666, 45004, 45208, 45321, 45556, 46417, 46557, 46766, 46839, 46878, 46919, 46921, 47003, 47116, 47185, 47497, 47503, 47534, 47535, 47639, 47769, 47791, 47792, 47832, 47835, 47843, 47990);\n script_xref(name:\"USN\", value:\"1159-1\");\n\n script_name(english:\"Ubuntu 10.10 : linux-mvl-dove vulnerabilities (USN-1159-1)\");\n script_summary(english:\"Checks dpkg output for updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Brad Spengler discovered that the kernel did not correctly account for\nuserspace memory allocations during exec() calls. A local attacker\ncould exploit this to consume all system memory, leading to a denial\nof service. (CVE-2010-4243)\n\nAlexander Duyck discovered that the Intel Gigabit Ethernet driver did\nnot correctly handle certain configurations. If such a device was\nconfigured without VLANs, a remote attacker could crash the system,\nleading to a denial of service. (CVE-2010-4263)\n\nNelson Elhage discovered that Econet did not correctly handle AUN\npackets over UDP. A local attacker could send specially crafted\ntraffic to crash the system, leading to a denial of service.\n(CVE-2010-4342)\n\nDan Rosenberg discovered that IRDA did not correctly check the size of\nbuffers. On non-x86 systems, a local attacker could exploit this to\nread kernel heap memory, leading to a loss of privacy. (CVE-2010-4529)\n\nDan Rosenburg discovered that the CAN subsystem leaked kernel\naddresses into the /proc filesystem. A local attacker could use this\nto increase the chances of a successful memory corruption exploit.\n(CVE-2010-4565)\n\nGoldwyn Rodrigues discovered that the OCFS2 filesystem did not\ncorrectly clear memory when writing certain file holes. A local\nattacker could exploit this to read uninitialized data from the disk,\nleading to a loss of privacy. (CVE-2011-0463)\n\nJens Kuehnel discovered that the InfiniBand driver contained a race\ncondition. On systems using InfiniBand, a local attacker could send\nspecially crafted requests to crash the system, leading to a denial of\nservice. (CVE-2011-0695)\n\nDan Rosenberg discovered that XFS did not correctly initialize memory.\nA local attacker could make crafted ioctl calls to leak portions of\nkernel stack memory, leading to a loss of privacy. (CVE-2011-0711)\n\nKees Cook reported that /proc/pid/stat did not correctly filter\ncertain memory locations. A local attacker could determine the memory\nlayout of processes in an attempt to increase the chances of a\nsuccessful memory corruption exploit. (CVE-2011-0726)\n\nMatthiew Herrb discovered that the drm modeset interface did not\ncorrectly handle a signed comparison. A local attacker could exploit\nthis to crash the system or possibly gain root privileges.\n(CVE-2011-1013)\n\nMarek Olsak discovered that the Radeon GPU drivers did not correctly\nvalidate certain registers. On systems with specific hardware, a local\nattacker could exploit this to write to arbitrary video memory.\n(CVE-2011-1016)\n\nTimo Warns discovered that the LDM disk partition handling code did\nnot correctly handle certain values. By inserting a specially crafted\ndisk device, a local attacker could exploit this to gain root\nprivileges. (CVE-2011-1017)\n\nVasiliy Kulikov discovered that the CAP_SYS_MODULE capability was not\nneeded to load kernel modules. A local attacker with the CAP_NET_ADMIN\ncapability could load existing kernel modules, possibly increasing the\nattack surface available on the system. (CVE-2011-1019)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly\nclear memory. A local attacker could exploit this to read kernel stack\nmemory, leading to a loss of privacy. (CVE-2011-1078)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly\ncheck that device name strings were NULL terminated. A local attacker\ncould exploit this to crash the system, leading to a denial of\nservice, or leak contents of kernel stack memory, leading to a loss of\nprivacy. (CVE-2011-1079)\n\nVasiliy Kulikov discovered that bridge network filtering did not check\nthat name fields were NULL terminated. A local attacker could exploit\nthis to leak contents of kernel stack memory, leading to a loss of\nprivacy. (CVE-2011-1080)\n\nNeil Horman discovered that NFSv4 did not correctly handle certain\norders of operation with ACL data. A remote attacker with access to an\nNFSv4 mount could exploit this to crash the system, leading to a\ndenial of service. (CVE-2011-1090)\n\nPeter Huewe discovered that the TPM device did not correctly\ninitialize memory. A local attacker could exploit this to read kernel\nheap memory contents, leading to a loss of privacy. (CVE-2011-1160)\n\nTimo Warns discovered that OSF partition parsing routines did not\ncorrectly clear memory. A local attacker with physical access could\nplug in a specially crafted block device to read kernel memory,\nleading to a loss of privacy. (CVE-2011-1163)\n\nVasiliy Kulikov discovered that the netfilter code did not check\ncertain strings copied from userspace. A local attacker with netfilter\naccess could exploit this to read kernel memory or crash the system,\nleading to a denial of service. (CVE-2011-1170, CVE-2011-1171,\nCVE-2011-1172, CVE-2011-2534)\n\nVasiliy Kulikov discovered that the Acorn Universal Networking driver\ndid not correctly initialize memory. A remote attacker could send\nspecially crafted traffic to read kernel stack memory, leading to a\nloss of privacy. (CVE-2011-1173)\n\nDan Rosenberg discovered that the IRDA subsystem did not correctly\ncheck certain field sizes. If a system was using IRDA, a remote\nattacker could send specially crafted traffic to crash the system or\ngain root privileges. (CVE-2011-1180)\n\nJulien Tinnes discovered that the kernel did not correctly validate\nthe signal structure from tkill(). A local attacker could exploit this\nto send signals to arbitrary threads, possibly bypassing expected\nrestrictions. (CVE-2011-1182)\n\nDan Rosenberg reported errors in the OSS (Open Sound System) MIDI\ninterface. A local attacker on non-x86 systems might be able to cause\na denial of service. (CVE-2011-1476)\n\nDan Rosenberg reported errors in the kernel's OSS (Open Sound System)\ndriver for Yamaha FM synthesizer chips. A local user can exploit this\nto cause memory corruption, causing a denial of service or privilege\nescalation. (CVE-2011-1477)\n\nRyan Sweat discovered that the GRO code did not correctly validate\nmemory. In some configurations on systems using VLANs, a remote\nattacker could send specially crafted traffic to crash the system,\nleading to a denial of service. (CVE-2011-1478)\n\nDan Rosenberg discovered that MPT devices did not correctly validate\ncertain values in ioctl calls. If these drivers were loaded, a local\nattacker could exploit this to read arbitrary kernel memory, leading\nto a loss of privacy. (CVE-2011-1494, CVE-2011-1495)\n\nIt was discovered that the Stream Control Transmission Protocol (SCTP)\nimplementation incorrectly calculated lengths. If the\nnet.sctp.addip_enable variable was turned on, a remote attacker could\nsend specially crafted traffic to crash the system. (CVE-2011-1573)\n\nTavis Ormandy discovered that the pidmap function did not correctly\nhandle large requests. A local attacker could exploit this to crash\nthe system, leading to a denial of service. (CVE-2011-1593)\n\nOliver Hartkopp and Dave Jones discovered that the CAN network driver\ndid not correctly validate certain socket structures. If this driver\nwas loaded, a local attacker could crash the system, leading to a\ndenial of service. (CVE-2011-1598, CVE-2011-1748)\n\nVasiliy Kulikov discovered that the AGP driver did not check certain\nioctl values. A local attacker with access to the video subsystem\ncould exploit this to crash the system, leading to a denial of\nservice, or possibly gain root privileges. (CVE-2011-1745,\nCVE-2011-2022)\n\nVasiliy Kulikov discovered that the AGP driver did not check the size\nof certain memory allocations. A local attacker with access to the\nvideo subsystem could exploit this to run the system out of memory,\nleading to a denial of service. (CVE-2011-1746)\n\nDan Rosenberg reported an error in the old ABI compatibility layer of\nARM kernels. A local attacker could exploit this flaw to cause a\ndenial of service or gain root privileges. (CVE-2011-1759)\n\nDan Rosenberg discovered that the DCCP stack did not correctly handle\ncertain packet structures. A remote attacker could exploit this to\ncrash the system, leading to a denial of service. (CVE-2011-1770)\n\nTimo Warns discovered that the EFI GUID partition table was not\ncorrectly parsed. A physically local attacker that could insert\nmountable devices could exploit this to crash the system or possibly\ngain root privileges. (CVE-2011-1776)\n\nA flaw was found in the b43 driver in the Linux kernel. An attacker\ncould use this flaw to cause a denial of service if the system has an\nactive wireless interface using the b43 driver. (CVE-2011-3359)\n\nYogesh Sharma discovered that CIFS did not correctly handle UNCs that\nhad no prefixpaths. A local attacker with access to a CIFS partition\ncould exploit this to crash the system, leading to a denial of\nservice. (CVE-2011-3363)\n\nMaynard Johnson discovered that on POWER7, certain speculative events\nmay raise a performance monitor exception. A local attacker could\nexploit this to crash the system, leading to a denial of service.\n(CVE-2011-4611)\n\nDan Rosenberg discovered flaws in the linux Rose (X.25 PLP) layer used\nby amateur radio. A local user or a remote user on an X.25 network\ncould exploit these flaws to execute arbitrary code as root.\n(CVE-2011-4913).\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected linux-image-2.6.32-417-dove package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:10.10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/07/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/07/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2011-2013 Canonical, Inc. / NASL script (C) 2011-2016 Tenable Network Security, Inc.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/Ubuntu/release\") ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-image-2.6.32-417-dove\", pkgver:\"2.6.32-417.34\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:ubuntu_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.9, "vector": "AV:A/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-17T14:22:40", "description": "Brad Spengler discovered that the kernel did not correctly account for userspace memory allocations during exec() calls. A local attacker could exploit this to consume all system memory, leading to a denial of service. (CVE-2010-4243)\n\nAlexander Duyck discovered that the Intel Gigabit Ethernet driver did not correctly handle certain configurations. If such a device was configured without VLANs, a remote attacker could crash the system, leading to a denial of service. (CVE-2010-4263)\n\nNelson Elhage discovered that Econet did not correctly handle AUN packets over UDP. A local attacker could send specially crafted traffic to crash the system, leading to a denial of service.\n(CVE-2010-4342)\n\nDan Rosenberg discovered that IRDA did not correctly check the size of buffers. On non-x86 systems, a local attacker could exploit this to read kernel heap memory, leading to a loss of privacy. (CVE-2010-4529)\n\nDan Rosenburg discovered that the CAN subsystem leaked kernel addresses into the /proc filesystem. A local attacker could use this to increase the chances of a successful memory corruption exploit.\n(CVE-2010-4565)\n\nGoldwyn Rodrigues discovered that the OCFS2 filesystem did not correctly clear memory when writing certain file holes. A local attacker could exploit this to read uninitialized data from the disk, leading to a loss of privacy. (CVE-2011-0463)\n\nJens Kuehnel discovered that the InfiniBand driver contained a race condition. On systems using InfiniBand, a local attacker could send specially crafted requests to crash the system, leading to a denial of service. (CVE-2011-0695)\n\nDan Rosenberg discovered that XFS did not correctly initialize memory.\nA local attacker could make crafted ioctl calls to leak portions of kernel stack memory, leading to a loss of privacy. (CVE-2011-0711)\n\nKees Cook reported that /proc/pid/stat did not correctly filter certain memory locations. A local attacker could determine the memory layout of processes in an attempt to increase the chances of a successful memory corruption exploit. (CVE-2011-0726)\n\nMatthiew Herrb discovered that the drm modeset interface did not correctly handle a signed comparison. A local attacker could exploit this to crash the system or possibly gain root privileges.\n(CVE-2011-1013)\n\nMarek Olsak discovered that the Radeon GPU drivers did not correctly validate certain registers. On systems with specific hardware, a local attacker could exploit this to write to arbitrary video memory.\n(CVE-2011-1016)\n\nTimo Warns discovered that the LDM disk partition handling code did not correctly handle certain values. By inserting a specially crafted disk device, a local attacker could exploit this to gain root privileges. (CVE-2011-1017)\n\nVasiliy Kulikov discovered that the CAP_SYS_MODULE capability was not needed to load kernel modules. A local attacker with the CAP_NET_ADMIN capability could load existing kernel modules, possibly increasing the attack surface available on the system. (CVE-2011-1019)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly clear memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1078)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly check that device name strings were NULL terminated. A local attacker could exploit this to crash the system, leading to a denial of service, or leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1079)\n\nVasiliy Kulikov discovered that bridge network filtering did not check that name fields were NULL terminated. A local attacker could exploit this to leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1080)\n\nNeil Horman discovered that NFSv4 did not correctly handle certain orders of operation with ACL data. A remote attacker with access to an NFSv4 mount could exploit this to crash the system, leading to a denial of service. (CVE-2011-1090)\n\nPeter Huewe discovered that the TPM device did not correctly initialize memory. A local attacker could exploit this to read kernel heap memory contents, leading to a loss of privacy. (CVE-2011-1160)\n\nTimo Warns discovered that OSF partition parsing routines did not correctly clear memory. A local attacker with physical access could plug in a specially crafted block device to read kernel memory, leading to a loss of privacy. (CVE-2011-1163)\n\nVasiliy Kulikov discovered that the netfilter code did not check certain strings copied from userspace. A local attacker with netfilter access could exploit this to read kernel memory or crash the system, leading to a denial of service. (CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-2534)\n\nVasiliy Kulikov discovered that the Acorn Universal Networking driver did not correctly initialize memory. A remote attacker could send specially crafted traffic to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1173)\n\nDan Rosenberg discovered that the IRDA subsystem did not correctly check certain field sizes. If a system was using IRDA, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-1180)\n\nJulien Tinnes discovered that the kernel did not correctly validate the signal structure from tkill(). A local attacker could exploit this to send signals to arbitrary threads, possibly bypassing expected restrictions. (CVE-2011-1182)\n\nDan Rosenberg reported errors in the OSS (Open Sound System) MIDI interface. A local attacker on non-x86 systems might be able to cause a denial of service. (CVE-2011-1476)\n\nDan Rosenberg reported errors in the kernel's OSS (Open Sound System) driver for Yamaha FM synthesizer chips. A local user can exploit this to cause memory corruption, causing a denial of service or privilege escalation. (CVE-2011-1477)\n\nRyan Sweat discovered that the GRO code did not correctly validate memory. In some configurations on systems using VLANs, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1478)\n\nDan Rosenberg discovered that MPT devices did not correctly validate certain values in ioctl calls. If these drivers were loaded, a local attacker could exploit this to read arbitrary kernel memory, leading to a loss of privacy. (CVE-2011-1494, CVE-2011-1495)\n\nIt was discovered that the Stream Control Transmission Protocol (SCTP) implementation incorrectly calculated lengths. If the net.sctp.addip_enable variable was turned on, a remote attacker could send specially crafted traffic to crash the system. (CVE-2011-1573)\n\nTavis Ormandy discovered that the pidmap function did not correctly handle large requests. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-1593)\n\nOliver Hartkopp and Dave Jones discovered that the CAN network driver did not correctly validate certain socket structures. If this driver was loaded, a local attacker could crash the system, leading to a denial of service. (CVE-2011-1598, CVE-2011-1748)\n\nVasiliy Kulikov discovered that the AGP driver did not check certain ioctl values. A local attacker with access to the video subsystem could exploit this to crash the system, leading to a denial of service, or possibly gain root privileges. (CVE-2011-1745, CVE-2011-2022)\n\nVasiliy Kulikov discovered that the AGP driver did not check the size of certain memory allocations. A local attacker with access to the video subsystem could exploit this to run the system out of memory, leading to a denial of service. (CVE-2011-1746)\n\nDan Rosenberg reported an error in the old ABI compatibility layer of ARM kernels. A local attacker could exploit this flaw to cause a denial of service or gain root privileges. (CVE-2011-1759)\n\nDan Rosenberg discovered that the DCCP stack did not correctly handle certain packet structures. A remote attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-1770)\n\nTimo Warns discovered that the EFI GUID partition table was not correctly parsed. A physically local attacker that could insert mountable devices could exploit this to crash the system or possibly gain root privileges. (CVE-2011-1776)\n\nA flaw was found in the b43 driver in the Linux kernel. An attacker could use this flaw to cause a denial of service if the system has an active wireless interface using the b43 driver. (CVE-2011-3359)\n\nYogesh Sharma discovered that CIFS did not correctly handle UNCs that had no prefixpaths. A local attacker with access to a CIFS partition could exploit this to crash the system, leading to a denial of service. (CVE-2011-3363)\n\nMaynard Johnson discovered that on POWER7, certain speculative events may raise a performance monitor exception. A local attacker could exploit this to crash the system, leading to a denial of service.\n(CVE-2011-4611)\n\nDan Rosenberg discovered flaws in the linux Rose (X.25 PLP) layer used by amateur radio. A local user or a remote user on an X.25 network could exploit these flaws to execute arbitrary code as root.\n(CVE-2011-4913).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2011-07-06T00:00:00", "type": "nessus", "title": "Ubuntu 10.04 LTS : linux-mvl-dove vulnerabilities (USN-1162-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 5.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.9, "vectorString": "AV:A/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4243", "CVE-2010-4263", "CVE-2010-4342", "CVE-2010-4529", "CVE-2010-4565", "CVE-2011-0463", "CVE-2011-0695", "CVE-2011-0711", "CVE-2011-0726", "CVE-2011-1013", "CVE-2011-1016", "CVE-2011-1017", "CVE-2011-1019", "CVE-2011-1078", "CVE-2011-1079", "CVE-2011-1080", "CVE-2011-1090", "CVE-2011-1160", "CVE-2011-1163", "CVE-2011-1170", "CVE-2011-1171", "CVE-2011-1172", "CVE-2011-1173", "CVE-2011-1180", "CVE-2011-1182", "CVE-2011-1476", "CVE-2011-1477", "CVE-2011-1478", "CVE-2011-1494", "CVE-2011-1495", "CVE-2011-1573", "CVE-2011-1593", "CVE-2011-1598", "CVE-2011-1745", "CVE-2011-1746", "CVE-2011-1747", "CVE-2011-1748", "CVE-2011-1759", "CVE-2011-1770", "CVE-2011-1776", "CVE-2011-2022", "CVE-2011-2534", "CVE-2011-3359", "CVE-2011-3363", "CVE-2011-4611", "CVE-2011-4913"], "modified": "2019-01-02T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:10.04:-:lts"], "id": "UBUNTU_USN-1162-1.NASL", "href": "https://www.tenable.com/plugins/nessus/55521", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-1162-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(55521);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/01/02 16:37:56\");\n\n script_cve_id(\"CVE-2010-4243\", \"CVE-2010-4263\", \"CVE-2010-4342\", \"CVE-2010-4529\", \"CVE-2010-4565\", \"CVE-2011-0463\", \"CVE-2011-0695\", \"CVE-2011-0711\", \"CVE-2011-0726\", \"CVE-2011-1013\", \"CVE-2011-1016\", \"CVE-2011-1017\", \"CVE-2011-1019\", \"CVE-2011-1078\", \"CVE-2011-1079\", \"CVE-2011-1080\", \"CVE-2011-1090\", \"CVE-2011-1160\", \"CVE-2011-1163\", \"CVE-2011-1170\", \"CVE-2011-1171\", \"CVE-2011-1172\", \"CVE-2011-1173\", \"CVE-2011-1180\", \"CVE-2011-1182\", \"CVE-2011-1476\", \"CVE-2011-1477\", \"CVE-2011-1478\", \"CVE-2011-1494\", \"CVE-2011-1495\", \"CVE-2011-1573\", \"CVE-2011-1593\", \"CVE-2011-1598\", \"CVE-2011-1745\", \"CVE-2011-1746\", \"CVE-2011-1747\", \"CVE-2011-1748\", \"CVE-2011-1759\", \"CVE-2011-1770\", \"CVE-2011-1776\", \"CVE-2011-2022\", \"CVE-2011-2534\", \"CVE-2011-3359\", \"CVE-2011-3363\", \"CVE-2011-4611\", \"CVE-2011-4913\");\n script_bugtraq_id(44661, 45004, 45208, 45321, 45556, 46417, 46512, 46557, 46766, 46839, 46878, 47003, 47116, 47185, 47497, 47503, 47534, 47535, 47639, 47791, 47792, 47832, 47835, 47843);\n script_xref(name:\"USN\", value:\"1162-1\");\n\n script_name(english:\"Ubuntu 10.04 LTS : linux-mvl-dove vulnerabilities (USN-1162-1)\");\n script_summary(english:\"Checks dpkg output for updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Brad Spengler discovered that the kernel did not correctly account for\nuserspace memory allocations during exec() calls. A local attacker\ncould exploit this to consume all system memory, leading to a denial\nof service. (CVE-2010-4243)\n\nAlexander Duyck discovered that the Intel Gigabit Ethernet driver did\nnot correctly handle certain configurations. If such a device was\nconfigured without VLANs, a remote attacker could crash the system,\nleading to a denial of service. (CVE-2010-4263)\n\nNelson Elhage discovered that Econet did not correctly handle AUN\npackets over UDP. A local attacker could send specially crafted\ntraffic to crash the system, leading to a denial of service.\n(CVE-2010-4342)\n\nDan Rosenberg discovered that IRDA did not correctly check the size of\nbuffers. On non-x86 systems, a local attacker could exploit this to\nread kernel heap memory, leading to a loss of privacy. (CVE-2010-4529)\n\nDan Rosenburg discovered that the CAN subsystem leaked kernel\naddresses into the /proc filesystem. A local attacker could use this\nto increase the chances of a successful memory corruption exploit.\n(CVE-2010-4565)\n\nGoldwyn Rodrigues discovered that the OCFS2 filesystem did not\ncorrectly clear memory when writing certain file holes. A local\nattacker could exploit this to read uninitialized data from the disk,\nleading to a loss of privacy. (CVE-2011-0463)\n\nJens Kuehnel discovered that the InfiniBand driver contained a race\ncondition. On systems using InfiniBand, a local attacker could send\nspecially crafted requests to crash the system, leading to a denial of\nservice. (CVE-2011-0695)\n\nDan Rosenberg discovered that XFS did not correctly initialize memory.\nA local attacker could make crafted ioctl calls to leak portions of\nkernel stack memory, leading to a loss of privacy. (CVE-2011-0711)\n\nKees Cook reported that /proc/pid/stat did not correctly filter\ncertain memory locations. A local attacker could determine the memory\nlayout of processes in an attempt to increase the chances of a\nsuccessful memory corruption exploit. (CVE-2011-0726)\n\nMatthiew Herrb discovered that the drm modeset interface did not\ncorrectly handle a signed comparison. A local attacker could exploit\nthis to crash the system or possibly gain root privileges.\n(CVE-2011-1013)\n\nMarek Olsak discovered that the Radeon GPU drivers did not correctly\nvalidate certain registers. On systems with specific hardware, a local\nattacker could exploit this to write to arbitrary video memory.\n(CVE-2011-1016)\n\nTimo Warns discovered that the LDM disk partition handling code did\nnot correctly handle certain values. By inserting a specially crafted\ndisk device, a local attacker could exploit this to gain root\nprivileges. (CVE-2011-1017)\n\nVasiliy Kulikov discovered that the CAP_SYS_MODULE capability was not\nneeded to load kernel modules. A local attacker with the CAP_NET_ADMIN\ncapability could load existing kernel modules, possibly increasing the\nattack surface available on the system. (CVE-2011-1019)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly\nclear memory. A local attacker could exploit this to read kernel stack\nmemory, leading to a loss of privacy. (CVE-2011-1078)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly\ncheck that device name strings were NULL terminated. A local attacker\ncould exploit this to crash the system, leading to a denial of\nservice, or leak contents of kernel stack memory, leading to a loss of\nprivacy. (CVE-2011-1079)\n\nVasiliy Kulikov discovered that bridge network filtering did not check\nthat name fields were NULL terminated. A local attacker could exploit\nthis to leak contents of kernel stack memory, leading to a loss of\nprivacy. (CVE-2011-1080)\n\nNeil Horman discovered that NFSv4 did not correctly handle certain\norders of operation with ACL data. A remote attacker with access to an\nNFSv4 mount could exploit this to crash the system, leading to a\ndenial of service. (CVE-2011-1090)\n\nPeter Huewe discovered that the TPM device did not correctly\ninitialize memory. A local attacker could exploit this to read kernel\nheap memory contents, leading to a loss of privacy. (CVE-2011-1160)\n\nTimo Warns discovered that OSF partition parsing routines did not\ncorrectly clear memory. A local attacker with physical access could\nplug in a specially crafted block device to read kernel memory,\nleading to a loss of privacy. (CVE-2011-1163)\n\nVasiliy Kulikov discovered that the netfilter code did not check\ncertain strings copied from userspace. A local attacker with netfilter\naccess could exploit this to read kernel memory or crash the system,\nleading to a denial of service. (CVE-2011-1170, CVE-2011-1171,\nCVE-2011-1172, CVE-2011-2534)\n\nVasiliy Kulikov discovered that the Acorn Universal Networking driver\ndid not correctly initialize memory. A remote attacker could send\nspecially crafted traffic to read kernel stack memory, leading to a\nloss of privacy. (CVE-2011-1173)\n\nDan Rosenberg discovered that the IRDA subsystem did not correctly\ncheck certain field sizes. If a system was using IRDA, a remote\nattacker could send specially crafted traffic to crash the system or\ngain root privileges. (CVE-2011-1180)\n\nJulien Tinnes discovered that the kernel did not correctly validate\nthe signal structure from tkill(). A local attacker could exploit this\nto send signals to arbitrary threads, possibly bypassing expected\nrestrictions. (CVE-2011-1182)\n\nDan Rosenberg reported errors in the OSS (Open Sound System) MIDI\ninterface. A local attacker on non-x86 systems might be able to cause\na denial of service. (CVE-2011-1476)\n\nDan Rosenberg reported errors in the kernel's OSS (Open Sound System)\ndriver for Yamaha FM synthesizer chips. A local user can exploit this\nto cause memory corruption, causing a denial of service or privilege\nescalation. (CVE-2011-1477)\n\nRyan Sweat discovered that the GRO code did not correctly validate\nmemory. In some configurations on systems using VLANs, a remote\nattacker could send specially crafted traffic to crash the system,\nleading to a denial of service. (CVE-2011-1478)\n\nDan Rosenberg discovered that MPT devices did not correctly validate\ncertain values in ioctl calls. If these drivers were loaded, a local\nattacker could exploit this to read arbitrary kernel memory, leading\nto a loss of privacy. (CVE-2011-1494, CVE-2011-1495)\n\nIt was discovered that the Stream Control Transmission Protocol (SCTP)\nimplementation incorrectly calculated lengths. If the\nnet.sctp.addip_enable variable was turned on, a remote attacker could\nsend specially crafted traffic to crash the system. (CVE-2011-1573)\n\nTavis Ormandy discovered that the pidmap function did not correctly\nhandle large requests. A local attacker could exploit this to crash\nthe system, leading to a denial of service. (CVE-2011-1593)\n\nOliver Hartkopp and Dave Jones discovered that the CAN network driver\ndid not correctly validate certain socket structures. If this driver\nwas loaded, a local attacker could crash the system, leading to a\ndenial of service. (CVE-2011-1598, CVE-2011-1748)\n\nVasiliy Kulikov discovered that the AGP driver did not check certain\nioctl values. A local attacker with access to the video subsystem\ncould exploit this to crash the system, leading to a denial of\nservice, or possibly gain root privileges. (CVE-2011-1745,\nCVE-2011-2022)\n\nVasiliy Kulikov discovered that the AGP driver did not check the size\nof certain memory allocations. A local attacker with access to the\nvideo subsystem could exploit this to run the system out of memory,\nleading to a denial of service. (CVE-2011-1746)\n\nDan Rosenberg reported an error in the old ABI compatibility layer of\nARM kernels. A local attacker could exploit this flaw to cause a\ndenial of service or gain root privileges. (CVE-2011-1759)\n\nDan Rosenberg discovered that the DCCP stack did not correctly handle\ncertain packet structures. A remote attacker could exploit this to\ncrash the system, leading to a denial of service. (CVE-2011-1770)\n\nTimo Warns discovered that the EFI GUID partition table was not\ncorrectly parsed. A physically local attacker that could insert\nmountable devices could exploit this to crash the system or possibly\ngain root privileges. (CVE-2011-1776)\n\nA flaw was found in the b43 driver in the Linux kernel. An attacker\ncould use this flaw to cause a denial of service if the system has an\nactive wireless interface using the b43 driver. (CVE-2011-3359)\n\nYogesh Sharma discovered that CIFS did not correctly handle UNCs that\nhad no prefixpaths. A local attacker with access to a CIFS partition\ncould exploit this to crash the system, leading to a denial of\nservice. (CVE-2011-3363)\n\nMaynard Johnson discovered that on POWER7, certain speculative events\nmay raise a performance monitor exception. A local attacker could\nexploit this to crash the system, leading to a denial of service.\n(CVE-2011-4611)\n\nDan Rosenberg discovered flaws in the linux Rose (X.25 PLP) layer used\nby amateur radio. A local user or a remote user on an X.25 network\ncould exploit these flaws to execute arbitrary code as root.\n(CVE-2011-4913).\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected linux-image-2.6.32-217-dove package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:10.04:-:lts\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/06/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/07/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2016 Tenable Network Security, Inc.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/Ubuntu/release\") ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-image-2.6.32-217-dove\", pkgver:\"2.6.32-217.34\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:ubuntu_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.9, "vector": "AV:A/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:24:18", "description": "Update to kernel 2.6.35.11:\nhttp://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.35/ChangeLog\n-2.6.35.11\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2011-02-11T00:00:00", "type": "nessus", "title": "Fedora 14 : kernel-2.6.35.11-83.fc14 (2011-1138)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4163", "CVE-2010-4165", "CVE-2010-4346", "CVE-2010-4648", "CVE-2010-4649", "CVE-2010-4668", "CVE-2011-0006", "CVE-2011-0521"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:kernel", "cpe:/o:fedoraproject:fedora:14"], "id": "FEDORA_2011-1138.NASL", "href": "https://www.tenable.com/plugins/nessus/51949", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2011-1138.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(51949);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2010-4163\", \"CVE-2010-4165\", \"CVE-2010-4346\", \"CVE-2010-4648\", \"CVE-2010-4649\", \"CVE-2010-4668\", \"CVE-2011-0006\", \"CVE-2011-0521\");\n script_bugtraq_id(44793, 44830, 45323, 45660, 45986, 46073);\n script_xref(name:\"FEDORA\", value:\"2011-1138\");\n\n script_name(english:\"Fedora 14 : kernel-2.6.35.11-83.fc14 (2011-1138)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to kernel 2.6.35.11:\nhttp://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.35/ChangeLog\n-2.6.35.11\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.35/ChangeLog-2.6.35.11\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2e777198\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=652508\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=652957\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=662189\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=667907\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=667912\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=667916\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=672398\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2011-February/053901.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?74a7a9ed\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:14\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/02/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/02/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^14([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 14.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC14\", reference:\"kernel-2.6.35.11-83.fc14\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:34:55", "description": "Dan Rosenberg discovered that IPC structures were not correctly initialized on 64bit systems. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy.\n(CVE-2010-4073)\n\nSteve Chen discovered that setsockopt did not correctly check MSS values. A local attacker could make a specially crafted socket call to crash the system, leading to a denial of service. (CVE-2010-4165)\n\nVladymyr Denysov discovered that Xen virtual CD-ROM devices were not handled correctly. A local attacker in a guest could make crafted blkback requests that would crash the host, leading to a denial of service. (CVE-2010-4238)\n\nVegard Nossum discovered that memory garbage collection was not handled correctly for active sockets. A local attacker could exploit this to allocate all available kernel memory, leading to a denial of service. (CVE-2010-4249)\n\nDan Carpenter discovered that the Infiniband driver did not correctly handle certain requests. A local user could exploit this to crash the system or potentially gain root privileges. (CVE-2010-4649, CVE-2011-1044)\n\nDan Rosenberg discovered that XFS did not correctly initialize memory.\nA local attacker could make crafted ioctl calls to leak portions of kernel stack memory, leading to a loss of privacy. (CVE-2011-0711)\n\nTimo Warns discovered that MAC partition parsing routines did not correctly calculate block counts. A local attacker with physical access could plug in a specially crafted block device to crash the system or potentially gain root privileges. (CVE-2011-1010)\n\nNeil Horman discovered that NFSv4 did not correctly handle certain orders of operation with ACL data. A remote attacker with access to an NFSv4 mount could exploit this to crash the system, leading to a denial of service. (CVE-2011-1090)\n\nVasiliy Kulikov discovered that the netfilter code did not check certain strings copied from userspace. A local attacker with netfilter access could exploit this to read kernel memory or crash the system, leading to a denial of service. (CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-2534)\n\nVasiliy Kulikov discovered that the Acorn Universal Networking driver did not correctly initialize memory. A remote attacker could send specially crafted traffic to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1173)\n\nVasiliy Kulikov discovered that taskstats listeners were not correctly handled. A local attacker could exploit this to exhaust memory and CPU resources, leading to a denial of service. (CVE-2011-2484).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2011-08-09T00:00:00", "type": "nessus", "title": "Ubuntu 8.04 LTS : linux vulnerabilities (USN-1186-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4073", "CVE-2010-4165", "CVE-2010-4238", "CVE-2010-4249", "CVE-2010-4649", "CVE-2011-0711", "CVE-2011-1010", "CVE-2011-1044", "CVE-2011-1090", "CVE-2011-1170", "CVE-2011-1171", "CVE-2011-1172", "CVE-2011-1173", "CVE-2011-2484", "CVE-2011-2534"], "modified": "2019-10-16T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-386", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-lpia", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-lpiacompat", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-openvz", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-rt", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-server", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-virtual", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-xen", "cpe:/o:canonical:ubuntu_linux:8.04:-:lts"], "id": "UBUNTU_USN-1186-1.NASL", "href": "https://www.tenable.com/plugins/nessus/55784", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-1186-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(55784);\n script_version(\"1.17\");\n script_cvs_date(\"Date: 2019/10/16 10:34:22\");\n\n script_cve_id(\"CVE-2010-4073\", \"CVE-2010-4165\", \"CVE-2010-4238\", \"CVE-2010-4249\", \"CVE-2010-4649\", \"CVE-2011-0711\", \"CVE-2011-1010\", \"CVE-2011-1044\", \"CVE-2011-1090\", \"CVE-2011-1170\", \"CVE-2011-1171\", \"CVE-2011-1172\", \"CVE-2011-1173\", \"CVE-2011-2484\", \"CVE-2011-2534\");\n script_bugtraq_id(44830, 45037, 45073, 45795, 46073, 46417, 46488, 46492, 46766, 46919, 46921, 47990, 48383);\n script_xref(name:\"USN\", value:\"1186-1\");\n\n script_name(english:\"Ubuntu 8.04 LTS : linux vulnerabilities (USN-1186-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Dan Rosenberg discovered that IPC structures were not correctly\ninitialized on 64bit systems. A local attacker could exploit this to\nread kernel stack memory, leading to a loss of privacy.\n(CVE-2010-4073)\n\nSteve Chen discovered that setsockopt did not correctly check MSS\nvalues. A local attacker could make a specially crafted socket call to\ncrash the system, leading to a denial of service. (CVE-2010-4165)\n\nVladymyr Denysov discovered that Xen virtual CD-ROM devices were not\nhandled correctly. A local attacker in a guest could make crafted\nblkback requests that would crash the host, leading to a denial of\nservice. (CVE-2010-4238)\n\nVegard Nossum discovered that memory garbage collection was not\nhandled correctly for active sockets. A local attacker could exploit\nthis to allocate all available kernel memory, leading to a denial of\nservice. (CVE-2010-4249)\n\nDan Carpenter discovered that the Infiniband driver did not correctly\nhandle certain requests. A local user could exploit this to crash the\nsystem or potentially gain root privileges. (CVE-2010-4649,\nCVE-2011-1044)\n\nDan Rosenberg discovered that XFS did not correctly initialize memory.\nA local attacker could make crafted ioctl calls to leak portions of\nkernel stack memory, leading to a loss of privacy. (CVE-2011-0711)\n\nTimo Warns discovered that MAC partition parsing routines did not\ncorrectly calculate block counts. A local attacker with physical\naccess could plug in a specially crafted block device to crash the\nsystem or potentially gain root privileges. (CVE-2011-1010)\n\nNeil Horman discovered that NFSv4 did not correctly handle certain\norders of operation with ACL data. A remote attacker with access to an\nNFSv4 mount could exploit this to crash the system, leading to a\ndenial of service. (CVE-2011-1090)\n\nVasiliy Kulikov discovered that the netfilter code did not check\ncertain strings copied from userspace. A local attacker with netfilter\naccess could exploit this to read kernel memory or crash the system,\nleading to a denial of service. (CVE-2011-1170, CVE-2011-1171,\nCVE-2011-1172, CVE-2011-2534)\n\nVasiliy Kulikov discovered that the Acorn Universal Networking driver\ndid not correctly initialize memory. A remote attacker could send\nspecially crafted traffic to read kernel stack memory, leading to a\nloss of privacy. (CVE-2011-1173)\n\nVasiliy Kulikov discovered that taskstats listeners were not correctly\nhandled. A local attacker could exploit this to exhaust memory and CPU\nresources, leading to a denial of service. (CVE-2011-2484).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/1186-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-386\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-lpia\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-lpiacompat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-openvz\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:8.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/11/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/08/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/08/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(8\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 8.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2010-4073\", \"CVE-2010-4165\", \"CVE-2010-4238\", \"CVE-2010-4249\", \"CVE-2010-4649\", \"CVE-2011-0711\", \"CVE-2011-1010\", \"CVE-2011-1044\", \"CVE-2011-1090\", \"CVE-2011-1170\", \"CVE-2011-1171\", \"CVE-2011-1172\", \"CVE-2011-1173\", \"CVE-2011-2484\", \"CVE-2011-2534\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-1186-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"8.04\", pkgname:\"linux-image-2.6.24-29-386\", pkgver:\"2.6.24-29.92\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"linux-image-2.6.24-29-generic\", pkgver:\"2.6.24-29.92\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"linux-image-2.6.24-29-lpia\", pkgver:\"2.6.24-29.92\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"linux-image-2.6.24-29-lpiacompat\", pkgver:\"2.6.24-29.92\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"linux-image-2.6.24-29-openvz\", pkgver:\"2.6.24-29.92\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"linux-image-2.6.24-29-rt\", pkgver:\"2.6.24-29.92\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"linux-image-2.6.24-29-server\", pkgver:\"2.6.24-29.92\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"linux-image-2.6.24-29-virtual\", pkgver:\"2.6.24-29.92\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"linux-image-2.6.24-29-xen\", pkgver:\"2.6.24-29.92\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-2.6-386 / linux-image-2.6-generic / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:27:02", "description": "Thomas Pollet discovered that the RDS network protocol did not check certain iovec buffers. A local attacker could exploit this to crash the system or possibly execute arbitrary code as the root user.\n(CVE-2010-3865)\n\nVasiliy Kulikov discovered that the Linux kernel X.25 implementation did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy.\n(CVE-2010-3875)\n\nVasiliy Kulikov discovered that the Linux kernel sockets implementation did not properly initialize certain structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3876)\n\nVasiliy Kulikov discovered that the TIPC interface did not correctly initialize certain structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy.\n(CVE-2010-3877)\n\nNelson Elhage discovered that the Linux kernel IPv4 implementation did not properly audit certain bytecodes in netlink messages. A local attacker could exploit this to cause the kernel to hang, leading to a denial of service. (CVE-2010-3880)\n\nIt was discovered that multithreaded exec did not handle CPU timers correctly. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4248)\n\nKrishna Gudipati discovered that the bfa adapter driver did not correctly initialize certain structures. A local attacker could read files in /sys to crash the system, leading to a denial of service.\n(CVE-2010-4343)\n\nTavis Ormandy discovered that the install_special_mapping function could bypass the mmap_min_addr restriction. A local attacker could exploit this to mmap 4096 bytes below the mmap_min_addr area, possibly improving the chances of performing NULL pointer dereference attacks.\n(CVE-2010-4346)\n\nIt was discovered that the ICMP stack did not correctly handle certain unreachable messages. If a remote attacker were able to acquire a socket lock, they could send specially crafted traffic that would crash the system, leading to a denial of service. (CVE-2010-4526)\n\nDan Rosenberg discovered that the OSS subsystem did not handle name termination correctly. A local attacker could exploit this crash the system or gain root privileges. (CVE-2010-4527)\n\nAn error was reported in the kernel's ORiNOCO wireless driver's handling of TKIP countermeasures. This reduces the amount of time an attacker needs breach a wireless network using WPA+TKIP for security.\n(CVE-2010-4648)\n\nDan Carpenter discovered that the Infiniband driver did not correctly handle certain requests. A local user could exploit this to crash the system or potentially gain root privileges. (CVE-2010-4649, CVE-2011-1044)\n\nAn error was discovered in the kernel's handling of CUSE (Character device in Userspace). A local attacker might exploit this flaw to escalate privilege, if access to /dev/cuse has been modified to allow non-root users. (CVE-2010-4650)\n\nA flaw was found in the kernel's Integrity Measurement Architecture (IMA). Changes made by an attacker might not be discovered by IMA, if SELinux was disabled, and a new IMA rule was loaded. (CVE-2011-0006).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2011-03-02T00:00:00", "type": "nessus", "title": "Ubuntu 10.04 LTS : linux vulnerabilities (USN-1080-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3865", "CVE-2010-3875", "CVE-2010-3876", "CVE-2010-3877", "CVE-2010-3880", "CVE-2010-4248", "CVE-2010-4343", "CVE-2010-4346", "CVE-2010-4526", "CVE-2010-4527", "CVE-2010-4648", "CVE-2010-4649", "CVE-2010-4650", "CVE-2011-0006", "CVE-2011-1044"], "modified": "2019-09-19T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-doc", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-386", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-generic-pae", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-preempt", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-server", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-386", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic-pae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-lpia", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-preempt", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-server", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-versatile", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-virtual", "p-cpe:/a:canonical:ubuntu_linux:linux-libc-dev", "p-cpe:/a:canonical:ubuntu_linux:linux-source-2.6.32", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-2.6", "p-cpe:/a:canonical:ubuntu_linux:linux-tools-common", "cpe:/o:canonical:ubuntu_linux:10.04:-:lts"], "id": "UBUNTU_USN-1080-1.NASL", "href": "https://www.tenable.com/plugins/nessus/52499", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-1080-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(52499);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2019/09/19 12:54:26\");\n\n script_cve_id(\"CVE-2010-3865\", \"CVE-2010-3875\", \"CVE-2010-3876\", \"CVE-2010-3877\", \"CVE-2010-3880\", \"CVE-2010-4248\", \"CVE-2010-4343\", \"CVE-2010-4346\", \"CVE-2010-4526\", \"CVE-2010-4527\", \"CVE-2010-4648\", \"CVE-2010-4649\", \"CVE-2010-4650\", \"CVE-2011-0006\", \"CVE-2011-1044\");\n script_bugtraq_id(44549, 44630, 44665, 45028, 45262, 45323, 45629, 45661, 46073, 46488);\n script_xref(name:\"USN\", value:\"1080-1\");\n\n script_name(english:\"Ubuntu 10.04 LTS : linux vulnerabilities (USN-1080-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Thomas Pollet discovered that the RDS network protocol did not check\ncertain iovec buffers. A local attacker could exploit this to crash\nthe system or possibly execute arbitrary code as the root user.\n(CVE-2010-3865)\n\nVasiliy Kulikov discovered that the Linux kernel X.25 implementation\ndid not correctly clear kernel memory. A local attacker could exploit\nthis to read kernel stack memory, leading to a loss of privacy.\n(CVE-2010-3875)\n\nVasiliy Kulikov discovered that the Linux kernel sockets\nimplementation did not properly initialize certain structures. A local\nattacker could exploit this to read kernel stack memory, leading to a\nloss of privacy. (CVE-2010-3876)\n\nVasiliy Kulikov discovered that the TIPC interface did not correctly\ninitialize certain structures. A local attacker could exploit this to\nread kernel stack memory, leading to a loss of privacy.\n(CVE-2010-3877)\n\nNelson Elhage discovered that the Linux kernel IPv4 implementation did\nnot properly audit certain bytecodes in netlink messages. A local\nattacker could exploit this to cause the kernel to hang, leading to a\ndenial of service. (CVE-2010-3880)\n\nIt was discovered that multithreaded exec did not handle CPU timers\ncorrectly. A local attacker could exploit this to crash the system,\nleading to a denial of service. (CVE-2010-4248)\n\nKrishna Gudipati discovered that the bfa adapter driver did not\ncorrectly initialize certain structures. A local attacker could read\nfiles in /sys to crash the system, leading to a denial of service.\n(CVE-2010-4343)\n\nTavis Ormandy discovered that the install_special_mapping function\ncould bypass the mmap_min_addr restriction. A local attacker could\nexploit this to mmap 4096 bytes below the mmap_min_addr area, possibly\nimproving the chances of performing NULL pointer dereference attacks.\n(CVE-2010-4346)\n\nIt was discovered that the ICMP stack did not correctly handle certain\nunreachable messages. If a remote attacker were able to acquire a\nsocket lock, they could send specially crafted traffic that would\ncrash the system, leading to a denial of service. (CVE-2010-4526)\n\nDan Rosenberg discovered that the OSS subsystem did not handle name\ntermination correctly. A local attacker could exploit this crash the\nsystem or gain root privileges. (CVE-2010-4527)\n\nAn error was reported in the kernel's ORiNOCO wireless driver's\nhandling of TKIP countermeasures. This reduces the amount of time an\nattacker needs breach a wireless network using WPA+TKIP for security.\n(CVE-2010-4648)\n\nDan Carpenter discovered that the Infiniband driver did not correctly\nhandle certain requests. A local user could exploit this to crash the\nsystem or potentially gain root privileges. (CVE-2010-4649,\nCVE-2011-1044)\n\nAn error was discovered in the kernel's handling of CUSE (Character\ndevice in Userspace). A local attacker might exploit this flaw to\nescalate privilege, if access to /dev/cuse has been modified to allow\nnon-root users. (CVE-2010-4650)\n\nA flaw was found in the kernel's Integrity Measurement Architecture\n(IMA). Changes made by an attacker might not be discovered by IMA, if\nSELinux was disabled, and a new IMA rule was loaded. (CVE-2011-0006).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/1080-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-386\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-generic-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-preempt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-386\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-lpia\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-preempt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-versatile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-libc-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-source-2.6.32\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-2.6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-common\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:10.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/11/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/03/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/03/02\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(10\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 10.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2010-3865\", \"CVE-2010-3875\", \"CVE-2010-3876\", \"CVE-2010-3877\", \"CVE-2010-3880\", \"CVE-2010-4248\", \"CVE-2010-4343\", \"CVE-2010-4346\", \"CVE-2010-4526\", \"CVE-2010-4527\", \"CVE-2010-4648\", \"CVE-2010-4649\", \"CVE-2010-4650\", \"CVE-2011-0006\", \"CVE-2011-1044\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-1080-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-doc\", pkgver:\"2.6.32-29.58\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-headers-2.6.32-29\", pkgver:\"2.6.32-29.58\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-headers-2.6.32-29-386\", pkgver:\"2.6.32-29.58\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-headers-2.6.32-29-generic\", pkgver:\"2.6.32-29.58\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-headers-2.6.32-29-generic-pae\", pkgver:\"2.6.32-29.58\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-headers-2.6.32-29-preempt\", pkgver:\"2.6.32-29.58\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-headers-2.6.32-29-server\", pkgver:\"2.6.32-29.58\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-image-2.6.32-29-386\", pkgver:\"2.6.32-29.58\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-image-2.6.32-29-generic\", pkgver:\"2.6.32-29.58\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-image-2.6.32-29-generic-pae\", pkgver:\"2.6.32-29.58\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-image-2.6.32-29-lpia\", pkgver:\"2.6.32-29.58\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-image-2.6.32-29-preempt\", pkgver:\"2.6.32-29.58\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-image-2.6.32-29-server\", pkgver:\"2.6.32-29.58\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-image-2.6.32-29-versatile\", pkgver:\"2.6.32-29.58\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-image-2.6.32-29-virtual\", pkgver:\"2.6.32-29.58\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-libc-dev\", pkgver:\"2.6.32-29.58\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-source-2.6.32\", pkgver:\"2.6.32-29.58\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-tools-2.6.32-29\", pkgver:\"2.6.32-29.58\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-tools-common\", pkgver:\"2.6.32-29.58\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-doc / linux-headers-2.6 / linux-headers-2.6-386 / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:25:16", "description": "Thomas Pollet discovered that the RDS network protocol did not check certain iovec buffers. A local attacker could exploit this to crash the system or possibly execute arbitrary code as the root user.\n(CVE-2010-3865)\n\nVasiliy Kulikov discovered that the Linux kernel X.25 implementation did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy.\n(CVE-2010-3875)\n\nVasiliy Kulikov discovered that the Linux kernel sockets implementation did not properly initialize certain structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3876)\n\nVasiliy Kulikov discovered that the TIPC interface did not correctly initialize certain structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy.\n(CVE-2010-3877)\n\nNelson Elhage discovered that the Linux kernel IPv4 implementation did not properly audit certain bytecodes in netlink messages. A local attacker could exploit this to cause the kernel to hang, leading to a denial of service. (CVE-2010-3880)\n\nIt was discovered that multithreaded exec did not handle CPU timers correctly. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4248)\n\nKrishna Gudipati discovered that the bfa adapter driver did not correctly initialize certain structures. A local attacker could read files in /sys to crash the system, leading to a denial of service.\n(CVE-2010-4343)\n\nTavis Ormandy discovered that the install_special_mapping function could bypass the mmap_min_addr restriction. A local attacker could exploit this to mmap 4096 bytes below the mmap_min_addr area, possibly improving the chances of performing NULL pointer dereference attacks.\n(CVE-2010-4346)\n\nIt was discovered that the ICMP stack did not correctly handle certain unreachable messages. If a remote attacker were able to acquire a socket lock, they could send specially crafted traffic that would crash the system, leading to a denial of service. (CVE-2010-4526)\n\nDan Rosenberg discovered that the OSS subsystem did not handle name termination correctly. A local attacker could exploit this crash the system or gain root privileges. (CVE-2010-4527)\n\nAn error was reported in the kernel's ORiNOCO wireless driver's handling of TKIP countermeasures. This reduces the amount of time an attacker needs breach a wireless network using WPA+TKIP for security.\n(CVE-2010-4648)\n\nDan Carpenter discovered that the Infiniband driver did not correctly handle certain requests. A local user could exploit this to crash the system or potentially gain root privileges. (CVE-2010-4649, CVE-2011-1044)\n\nAn error was discovered in the kernel's handling of CUSE (Character device in Userspace). A local attacker might exploit this flaw to escalate privilege, if access to /dev/cuse has been modified to allow non-root users. (CVE-2010-4650)\n\nA flaw was found in the kernel's Integrity Measurement Architecture (IMA). Changes made by an attacker might not be discovered by IMA, if SELinux was disabled, and a new IMA rule was loaded. (CVE-2011-0006).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2011-03-03T00:00:00", "type": "nessus", "title": "Ubuntu 10.04 LTS : linux-ec2 vulnerabilities (USN-1080-2)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3865", "CVE-2010-3875", "CVE-2010-3876", "CVE-2010-3877", "CVE-2010-3880", "CVE-2010-4248", "CVE-2010-4343", "CVE-2010-4346", "CVE-2010-4526", "CVE-2010-4527", "CVE-2010-4648", "CVE-2010-4649", "CVE-2010-4650", "CVE-2011-0006", "CVE-2011-1044"], "modified": "2019-09-19T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-ec2-doc", "p-cpe:/a:canonical:ubuntu_linux:linux-ec2-source-2.6.32", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6", "p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-ec2", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-ec2", "cpe:/o:canonical:ubuntu_linux:10.04:-:lts"], "id": "UBUNTU_USN-1080-2.NASL", "href": "https://www.tenable.com/plugins/nessus/52528", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-1080-2. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(52528);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2019/09/19 12:54:26\");\n\n script_cve_id(\"CVE-2010-3865\", \"CVE-2010-3875\", \"CVE-2010-3876\", \"CVE-2010-3877\", \"CVE-2010-3880\", \"CVE-2010-4248\", \"CVE-2010-4343\", \"CVE-2010-4346\", \"CVE-2010-4526\", \"CVE-2010-4527\", \"CVE-2010-4648\", \"CVE-2010-4649\", \"CVE-2010-4650\", \"CVE-2011-0006\", \"CVE-2011-1044\");\n script_bugtraq_id(44549, 44630, 44665, 45028, 45262, 45323, 45629, 45661, 46073, 46488);\n script_xref(name:\"USN\", value:\"1080-2\");\n\n script_name(english:\"Ubuntu 10.04 LTS : linux-ec2 vulnerabilities (USN-1080-2)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Thomas Pollet discovered that the RDS network protocol did not check\ncertain iovec buffers. A local attacker could exploit this to crash\nthe system or possibly execute arbitrary code as the root user.\n(CVE-2010-3865)\n\nVasiliy Kulikov discovered that the Linux kernel X.25 implementation\ndid not correctly clear kernel memory. A local attacker could exploit\nthis to read kernel stack memory, leading to a loss of privacy.\n(CVE-2010-3875)\n\nVasiliy Kulikov discovered that the Linux kernel sockets\nimplementation did not properly initialize certain structures. A local\nattacker could exploit this to read kernel stack memory, leading to a\nloss of privacy. (CVE-2010-3876)\n\nVasiliy Kulikov discovered that the TIPC interface did not correctly\ninitialize certain structures. A local attacker could exploit this to\nread kernel stack memory, leading to a loss of privacy.\n(CVE-2010-3877)\n\nNelson Elhage discovered that the Linux kernel IPv4 implementation did\nnot properly audit certain bytecodes in netlink messages. A local\nattacker could exploit this to cause the kernel to hang, leading to a\ndenial of service. (CVE-2010-3880)\n\nIt was discovered that multithreaded exec did not handle CPU timers\ncorrectly. A local attacker could exploit this to crash the system,\nleading to a denial of service. (CVE-2010-4248)\n\nKrishna Gudipati discovered that the bfa adapter driver did not\ncorrectly initialize certain structures. A local attacker could read\nfiles in /sys to crash the system, leading to a denial of service.\n(CVE-2010-4343)\n\nTavis Ormandy discovered that the install_special_mapping function\ncould bypass the mmap_min_addr restriction. A local attacker could\nexploit this to mmap 4096 bytes below the mmap_min_addr area, possibly\nimproving the chances of performing NULL pointer dereference attacks.\n(CVE-2010-4346)\n\nIt was discovered that the ICMP stack did not correctly handle certain\nunreachable messages. If a remote attacker were able to acquire a\nsocket lock, they could send specially crafted traffic that would\ncrash the system, leading to a denial of service. (CVE-2010-4526)\n\nDan Rosenberg discovered that the OSS subsystem did not handle name\ntermination correctly. A local attacker could exploit this crash the\nsystem or gain root privileges. (CVE-2010-4527)\n\nAn error was reported in the kernel's ORiNOCO wireless driver's\nhandling of TKIP countermeasures. This reduces the amount of time an\nattacker needs breach a wireless network using WPA+TKIP for security.\n(CVE-2010-4648)\n\nDan Carpenter discovered that the Infiniband driver did not correctly\nhandle certain requests. A local user could exploit this to crash the\nsystem or potentially gain root privileges. (CVE-2010-4649,\nCVE-2011-1044)\n\nAn error was discovered in the kernel's handling of CUSE (Character\ndevice in Userspace). A local attacker might exploit this flaw to\nescalate privilege, if access to /dev/cuse has been modified to allow\nnon-root users. (CVE-2010-4650)\n\nA flaw was found in the kernel's Integrity Measurement Architecture\n(IMA). Changes made by an attacker might not be discovered by IMA, if\nSELinux was disabled, and a new IMA rule was loaded. (CVE-2011-0006).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/1080-2/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-ec2-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-ec2-source-2.6.32\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-ec2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-ec2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:10.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/11/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/03/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/03/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(10\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 10.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2010-3865\", \"CVE-2010-3875\", \"CVE-2010-3876\", \"CVE-2010-3877\", \"CVE-2010-3880\", \"CVE-2010-4248\", \"CVE-2010-4343\", \"CVE-2010-4346\", \"CVE-2010-4526\", \"CVE-2010-4527\", \"CVE-2010-4648\", \"CVE-2010-4649\", \"CVE-2010-4650\", \"CVE-2011-0006\", \"CVE-2011-1044\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-1080-2\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-ec2-doc\", pkgver:\"2.6.32-313.26\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-ec2-source-2.6.32\", pkgver:\"2.6.32-313.26\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-headers-2.6.32-313\", pkgver:\"2.6.32-313.26\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-headers-2.6.32-313-ec2\", pkgver:\"2.6.32-313.26\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-image-2.6.32-313-ec2\", pkgver:\"2.6.32-313.26\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-ec2-doc / linux-ec2-source-2.6.32 / linux-headers-2.6 / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:31:55", "description": "This Linux kernel update fixes various security issues and bugs in the SUSE Linux Enterprise 10 SP4 kernel.\n\nThe following security issues have been fixed :\n\n - kernel/taskstats.c in the Linux kernel allowed local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another users password (a side channel attack). (CVE-2011-2494)\n\n - net/ipv6/netfilter/nf_conntrack_reasm.c in the Linux kernel, when the nf_conntrack_ipv6 module is enabled, allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) via certain types of fragmented IPv6 packets. (CVE-2012-2744)\n\n - Use-after-free vulnerability in the xacct_add_tsk function in kernel/tsacct.c in the Linux kernel allowed local users to obtain potentially sensitive information from kernel memory or cause a denial of service (system crash) via a taskstats TASKSTATS_CMD_ATTR_PID command.\n (CVE-2012-3510)\n\n - The user_update function in security/keys/user_defined.c in the Linux kernel 2.6 allowed local users to cause a denial of service (NULL pointer dereference and kernel oops) via vectors related to a user-defined key and updating a negative key into a fully instantiated key.\n (CVE-2011-4110)\n\n - The ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel did not initialize a certain response buffer, which allowed local users to obtain potentially sensitive information from kernel memory via vectors that cause this buffer to be only partially filled, a different vulnerability than CVE-2010-4649. (CVE-2011-1044)\n\n - Heap-based buffer overflow in the udf_load_logicalvol function in fs/udf/super.c in the Linux kernel allowed remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted UDF filesystem. (CVE-2012-3400)\n\n - The sock_alloc_send_pskb function in net/core/sock.c in the Linux kernel did not properly validate a certain length value, which allowed local users to cause a denial of service (heap-based buffer overflow and system crash) or possibly gain privileges by leveraging access to a TUN/TAP device. (CVE-2012-2136)\n\n - A small denial of service leak in dropping syn+fin messages was fixed. (CVE-2012-2663)\n\nThe following non-security issues have been fixed :\n\nPackaging :\n\n - kbuild: Fix gcc -x syntax (bnc#773831). NFS :\n\n - knfsd: An assortment of little fixes to the sunrpc cache code. (bnc#767766)\n\n - knfsd: Unexport cache_fresh and fix a small race.\n (bnc#767766)\n\n - knfsd: nfsd: do not drop silently on upcall deferral.\n (bnc#767766)\n\n - knfsd: svcrpc: remove another silent drop from deferral code. (bnc#767766)\n\n - sunrpc/cache: simplify cache_fresh_locked and cache_fresh_unlocked. (bnc#767766)\n\n - sunrpc/cache: recheck cache validity after cache_defer_req. (bnc#767766)\n\n - sunrpc/cache: use list_del_init for the list_head entries in cache_deferred_req. (bnc#767766)\n\n - sunrpc/cache: avoid variable over-loading in cache_defer_req. (bnc#767766)\n\n - sunrpc/cache: allow thread to block while waiting for cache update. (bnc#767766)\n\n - sunrpc/cache: Fix race in sunrpc/cache introduced by patch to allow thread to block while waiting for cache update. (bnc#767766)\n\n - sunrpc/cache: Another fix for race problem with sunrpc cache deferal. (bnc#767766)\n\n - knfsd: nfsd: make all exp_finding functions return\n -errnos on err. (bnc#767766)\n\n - Fix kabi breakage in previous nfsd patch series.\n (bnc#767766)\n\n - nfsd: Work around incorrect return type for wait_for_completion_interruptible_timeout. (bnc#767766)\n\n - nfs: Fix a potential file corruption issue when writing.\n (bnc#773272)\n\n - nfs: Allow sync writes to be multiple pages.\n (bnc#763526)\n\n - nfs: fix reference counting for NFSv4 callback thread.\n (bnc#767504)\n\n - nfs: flush signals before taking down callback thread.\n (bnc#767504)\n\n - nfsv4: Ensure nfs_callback_down() calls svc_destroy() (bnc#767504). SCSI :\n\n - SCSI/ch: Check NULL for kmalloc() return. (bnc#783058)\n\n - drivers/scsi/aic94xx/aic94xx_init.c: correct the size argument to kmalloc. (bnc#783058)\n\n - block: fail SCSI passthrough ioctls on partition devices. (bnc#738400)\n\n - dm: do not forward ioctls from logical volumes to the underlying device. (bnc#738400)\n\n - vmware: Fix VMware hypervisor detection (bnc#777575, bnc#770507). S/390 :\n\n - lgr: Make lgr_page static (bnc#772409,LTC#83520).\n\n - zfcp: Fix oops in _blk_add_trace() (bnc#772409,LTC#83510).\n\n - kernel: Add z/VM LGR detection (bnc#767277,LTC#RAS1203).\n\n - be2net: Fix EEH error reset before a flash dump completes. (bnc#755546)\n\n - mptfusion: fix msgContext in mptctl_hp_hostinfo.\n (bnc#767939)\n\n - PCI: Fix bus resource assignment on 32 bits with 64b resources. . (bnc#762581)\n\n - PCI: fix up setup-bus.c #ifdef. (bnc#762581)\n\n - x86: powernow-k8: Fix indexing issue. (bnc#758985)\n\n - net: Fix race condition about network device name allocation. (bnc#747576)\n\nXEN :\n\n - smpboot: adjust ordering of operations.\n\n - xen/x86-64: provide a memset() that can deal with 4Gb or above at a time. (bnc#738528)\n\n - xen: fix VM_FOREIGN users after c/s 878:eba6fe6d8d53.\n (bnc#760974)\n\n - xen/gntdev: fix multi-page slot allocation. (bnc#760974)", "cvss3": {}, "published": "2012-10-24T00:00:00", "type": "nessus", "title": "SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 8324)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4649", "CVE-2011-1044", "CVE-2011-2494", "CVE-2011-4110", "CVE-2012-2136", "CVE-2012-2663", "CVE-2012-2744", "CVE-2012-3400", "CVE-2012-3510"], "modified": "2021-01-19T00:00:00", "cpe": ["cpe:/o:suse:suse_linux"], "id": "SUSE_KERNEL-8324.NASL", "href": "https://www.tenable.com/plugins/nessus/62675", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(62675);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2010-4649\", \"CVE-2011-1044\", \"CVE-2011-2494\", \"CVE-2011-4110\", \"CVE-2012-2136\", \"CVE-2012-2663\", \"CVE-2012-2744\", \"CVE-2012-3400\", \"CVE-2012-3510\");\n\n script_name(english:\"SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 8324)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This Linux kernel update fixes various security issues and bugs in the\nSUSE Linux Enterprise 10 SP4 kernel.\n\nThe following security issues have been fixed :\n\n - kernel/taskstats.c in the Linux kernel allowed local\n users to obtain sensitive I/O statistics by sending\n taskstats commands to a netlink socket, as demonstrated\n by discovering the length of another users password (a\n side channel attack). (CVE-2011-2494)\n\n - net/ipv6/netfilter/nf_conntrack_reasm.c in the Linux\n kernel, when the nf_conntrack_ipv6 module is enabled,\n allowed remote attackers to cause a denial of service\n (NULL pointer dereference and system crash) via certain\n types of fragmented IPv6 packets. (CVE-2012-2744)\n\n - Use-after-free vulnerability in the xacct_add_tsk\n function in kernel/tsacct.c in the Linux kernel allowed\n local users to obtain potentially sensitive information\n from kernel memory or cause a denial of service (system\n crash) via a taskstats TASKSTATS_CMD_ATTR_PID command.\n (CVE-2012-3510)\n\n - The user_update function in security/keys/user_defined.c\n in the Linux kernel 2.6 allowed local users to cause a\n denial of service (NULL pointer dereference and kernel\n oops) via vectors related to a user-defined key and\n updating a negative key into a fully instantiated key.\n (CVE-2011-4110)\n\n - The ib_uverbs_poll_cq function in\n drivers/infiniband/core/uverbs_cmd.c in the Linux kernel\n did not initialize a certain response buffer, which\n allowed local users to obtain potentially sensitive\n information from kernel memory via vectors that cause\n this buffer to be only partially filled, a different\n vulnerability than CVE-2010-4649. (CVE-2011-1044)\n\n - Heap-based buffer overflow in the udf_load_logicalvol\n function in fs/udf/super.c in the Linux kernel allowed\n remote attackers to cause a denial of service (system\n crash) or possibly have unspecified other impact via a\n crafted UDF filesystem. (CVE-2012-3400)\n\n - The sock_alloc_send_pskb function in net/core/sock.c in\n the Linux kernel did not properly validate a certain\n length value, which allowed local users to cause a\n denial of service (heap-based buffer overflow and system\n crash) or possibly gain privileges by leveraging access\n to a TUN/TAP device. (CVE-2012-2136)\n\n - A small denial of service leak in dropping syn+fin\n messages was fixed. (CVE-2012-2663)\n\nThe following non-security issues have been fixed :\n\nPackaging :\n\n - kbuild: Fix gcc -x syntax (bnc#773831). NFS :\n\n - knfsd: An assortment of little fixes to the sunrpc cache\n code. (bnc#767766)\n\n - knfsd: Unexport cache_fresh and fix a small race.\n (bnc#767766)\n\n - knfsd: nfsd: do not drop silently on upcall deferral.\n (bnc#767766)\n\n - knfsd: svcrpc: remove another silent drop from deferral\n code. (bnc#767766)\n\n - sunrpc/cache: simplify cache_fresh_locked and\n cache_fresh_unlocked. (bnc#767766)\n\n - sunrpc/cache: recheck cache validity after\n cache_defer_req. (bnc#767766)\n\n - sunrpc/cache: use list_del_init for the list_head\n entries in cache_deferred_req. (bnc#767766)\n\n - sunrpc/cache: avoid variable over-loading in\n cache_defer_req. (bnc#767766)\n\n - sunrpc/cache: allow thread to block while waiting for\n cache update. (bnc#767766)\n\n - sunrpc/cache: Fix race in sunrpc/cache introduced by\n patch to allow thread to block while waiting for cache\n update. (bnc#767766)\n\n - sunrpc/cache: Another fix for race problem with sunrpc\n cache deferal. (bnc#767766)\n\n - knfsd: nfsd: make all exp_finding functions return\n -errnos on err. (bnc#767766)\n\n - Fix kabi breakage in previous nfsd patch series.\n (bnc#767766)\n\n - nfsd: Work around incorrect return type for\n wait_for_completion_interruptible_timeout. (bnc#767766)\n\n - nfs: Fix a potential file corruption issue when writing.\n (bnc#773272)\n\n - nfs: Allow sync writes to be multiple pages.\n (bnc#763526)\n\n - nfs: fix reference counting for NFSv4 callback thread.\n (bnc#767504)\n\n - nfs: flush signals before taking down callback thread.\n (bnc#767504)\n\n - nfsv4: Ensure nfs_callback_down() calls svc_destroy()\n (bnc#767504). SCSI :\n\n - SCSI/ch: Check NULL for kmalloc() return. (bnc#783058)\n\n - drivers/scsi/aic94xx/aic94xx_init.c: correct the size\n argument to kmalloc. (bnc#783058)\n\n - block: fail SCSI passthrough ioctls on partition\n devices. (bnc#738400)\n\n - dm: do not forward ioctls from logical volumes to the\n underlying device. (bnc#738400)\n\n - vmware: Fix VMware hypervisor detection (bnc#777575,\n bnc#770507). S/390 :\n\n - lgr: Make lgr_page static (bnc#772409,LTC#83520).\n\n - zfcp: Fix oops in _blk_add_trace()\n (bnc#772409,LTC#83510).\n\n - kernel: Add z/VM LGR detection (bnc#767277,LTC#RAS1203).\n\n - be2net: Fix EEH error reset before a flash dump\n completes. (bnc#755546)\n\n - mptfusion: fix msgContext in mptctl_hp_hostinfo.\n (bnc#767939)\n\n - PCI: Fix bus resource assignment on 32 bits with 64b\n resources. . (bnc#762581)\n\n - PCI: fix up setup-bus.c #ifdef. (bnc#762581)\n\n - x86: powernow-k8: Fix indexing issue. (bnc#758985)\n\n - net: Fix race condition about network device name\n allocation. (bnc#747576)\n\nXEN :\n\n - smpboot: adjust ordering of operations.\n\n - xen/x86-64: provide a memset() that can deal with 4Gb or\n above at a time. (bnc#738528)\n\n - xen: fix VM_FOREIGN users after c/s 878:eba6fe6d8d53.\n (bnc#760974)\n\n - xen/gntdev: fix multi-page slot allocation. (bnc#760974)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-4649.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-1044.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-2494.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-4110.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2012-2136.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2012-2663.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2012-2744.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2012-3400.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2012-3510.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 8324.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/10/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/10/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 10 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED10\", sp:4, cpu:\"x86_64\", reference:\"kernel-default-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:4, cpu:\"x86_64\", reference:\"kernel-smp-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:4, cpu:\"x86_64\", reference:\"kernel-source-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:4, cpu:\"x86_64\", reference:\"kernel-syms-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:4, cpu:\"x86_64\", reference:\"kernel-xen-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, cpu:\"x86_64\", reference:\"kernel-debug-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, cpu:\"x86_64\", reference:\"kernel-default-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, cpu:\"x86_64\", reference:\"kernel-kdump-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, cpu:\"x86_64\", reference:\"kernel-smp-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, cpu:\"x86_64\", reference:\"kernel-source-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, cpu:\"x86_64\", reference:\"kernel-syms-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, cpu:\"x86_64\", reference:\"kernel-xen-2.6.16.60-0.99.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-01-11T14:31:28", "description": "This Linux kernel update fixes various security issues and bugs in the SUSE Linux Enterprise 10 SP4 kernel.\n\nThe following security issues have been fixed :\n\n - kernel/taskstats.c in the Linux kernel allowed local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another users password (a side channel attack). (CVE-2011-2494)\n\n - net/ipv6/netfilter/nf_conntrack_reasm.c in the Linux kernel, when the nf_conntrack_ipv6 module is enabled, allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) via certain types of fragmented IPv6 packets. (CVE-2012-2744)\n\n - Use-after-free vulnerability in the xacct_add_tsk function in kernel/tsacct.c in the Linux kernel allowed local users to obtain potentially sensitive information from kernel memory or cause a denial of service (system crash) via a taskstats TASKSTATS_CMD_ATTR_PID command.\n (CVE-2012-3510)\n\n - The user_update function in security/keys/user_defined.c in the Linux kernel 2.6 allowed local users to cause a denial of service (NULL pointer dereference and kernel oops) via vectors related to a user-defined key and updating a negative key into a fully instantiated key.\n (CVE-2011-4110)\n\n - The ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel did not initialize a certain response buffer, which allowed local users to obtain potentially sensitive information from kernel memory via vectors that cause this buffer to be only partially filled, a different vulnerability than CVE-2010-4649. (CVE-2011-1044)\n\n - Heap-based buffer overflow in the udf_load_logicalvol function in fs/udf/super.c in the Linux kernel allowed remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted UDF filesystem. (CVE-2012-3400)\n\n - The sock_alloc_send_pskb function in net/core/sock.c in the Linux kernel did not properly validate a certain length value, which allowed local users to cause a denial of service (heap-based buffer overflow and system crash) or possibly gain privileges by leveraging access to a TUN/TAP device. (CVE-2012-2136)\n\n - A small denial of service leak in dropping syn+fin messages was fixed. (CVE-2012-2663)\n\nThe following non-security issues have been fixed :\n\nPackaging :\n\n - kbuild: Fix gcc -x syntax (bnc#773831). NFS :\n\n - knfsd: An assortment of little fixes to the sunrpc cache code. (bnc#767766)\n\n - knfsd: Unexport cache_fresh and fix a small race.\n (bnc#767766)\n\n - knfsd: nfsd: do not drop silently on upcall deferral.\n (bnc#767766)\n\n - knfsd: svcrpc: remove another silent drop from deferral code. (bnc#767766)\n\n - sunrpc/cache: simplify cache_fresh_locked and cache_fresh_unlocked. (bnc#767766)\n\n - sunrpc/cache: recheck cache validity after cache_defer_req. (bnc#767766)\n\n - sunrpc/cache: use list_del_init for the list_head entries in cache_deferred_req. (bnc#767766)\n\n - sunrpc/cache: avoid variable over-loading in cache_defer_req. (bnc#767766)\n\n - sunrpc/cache: allow thread to block while waiting for cache update. (bnc#767766)\n\n - sunrpc/cache: Fix race in sunrpc/cache introduced by patch to allow thread to block while waiting for cache update. (bnc#767766)\n\n - sunrpc/cache: Another fix for race problem with sunrpc cache deferal. (bnc#767766)\n\n - knfsd: nfsd: make all exp_finding functions return\n -errnos on err. (bnc#767766)\n\n - Fix kabi breakage in previous nfsd patch series.\n (bnc#767766)\n\n - nfsd: Work around incorrect return type for wait_for_completion_interruptible_timeout. (bnc#767766)\n\n - nfs: Fix a potential file corruption issue when writing.\n (bnc#773272)\n\n - nfs: Allow sync writes to be multiple pages.\n (bnc#763526)\n\n - nfs: fix reference counting for NFSv4 callback thread.\n (bnc#767504)\n\n - nfs: flush signals before taking down callback thread.\n (bnc#767504)\n\n - nfsv4: Ensure nfs_callback_down() calls svc_destroy() (bnc#767504). SCSI :\n\n - SCSI/ch: Check NULL for kmalloc() return. (bnc#783058)\n\n - drivers/scsi/aic94xx/aic94xx_init.c: correct the size argument to kmalloc. (bnc#783058)\n\n - block: fail SCSI passthrough ioctls on partition devices. (bnc#738400)\n\n - dm: do not forward ioctls from logical volumes to the underlying device. (bnc#738400)\n\n - vmware: Fix VMware hypervisor detection (bnc#777575, bnc#770507). S/390 :\n\n - lgr: Make lgr_page static (bnc#772409,LTC#83520).\n\n - zfcp: Fix oops in _blk_add_trace() (bnc#772409,LTC#83510).\n\n - kernel: Add z/VM LGR detection (bnc#767277,LTC#RAS1203).\n\n - be2net: Fix EEH error reset before a flash dump completes. (bnc#755546)\n\n - mptfusion: fix msgContext in mptctl_hp_hostinfo.\n (bnc#767939)\n\n - PCI: Fix bus resource assignment on 32 bits with 64b resources. . (bnc#762581)\n\n - PCI: fix up setup-bus.c #ifdef. (bnc#762581)\n\n - x86: powernow-k8: Fix indexing issue. (bnc#758985)\n\n - net: Fix race condition about network device name allocation. (bnc#747576)\n\nXEN :\n\n - smpboot: adjust ordering of operations.\n\n - xen/x86-64: provide a memset() that can deal with 4Gb or above at a time. (bnc#738528)\n\n - xen: fix VM_FOREIGN users after c/s 878:eba6fe6d8d53.\n (bnc#760974)\n\n - xen/gntdev: fix multi-page slot allocation. (bnc#760974)", "cvss3": {}, "published": "2012-10-24T00:00:00", "type": "nessus", "title": "SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 8325)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4649", "CVE-2011-1044", "CVE-2011-2494", "CVE-2011-4110", "CVE-2012-2136", "CVE-2012-2663", "CVE-2012-2744", "CVE-2012-3400", "CVE-2012-3510"], "modified": "2021-01-19T00:00:00", "cpe": ["cpe:/o:suse:suse_linux"], "id": "SUSE_KERNEL-8325.NASL", "href": "https://www.tenable.com/plugins/nessus/62676", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(62676);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2010-4649\", \"CVE-2011-1044\", \"CVE-2011-2494\", \"CVE-2011-4110\", \"CVE-2012-2136\", \"CVE-2012-2663\", \"CVE-2012-2744\", \"CVE-2012-3400\", \"CVE-2012-3510\");\n\n script_name(english:\"SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 8325)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This Linux kernel update fixes various security issues and bugs in the\nSUSE Linux Enterprise 10 SP4 kernel.\n\nThe following security issues have been fixed :\n\n - kernel/taskstats.c in the Linux kernel allowed local\n users to obtain sensitive I/O statistics by sending\n taskstats commands to a netlink socket, as demonstrated\n by discovering the length of another users password (a\n side channel attack). (CVE-2011-2494)\n\n - net/ipv6/netfilter/nf_conntrack_reasm.c in the Linux\n kernel, when the nf_conntrack_ipv6 module is enabled,\n allowed remote attackers to cause a denial of service\n (NULL pointer dereference and system crash) via certain\n types of fragmented IPv6 packets. (CVE-2012-2744)\n\n - Use-after-free vulnerability in the xacct_add_tsk\n function in kernel/tsacct.c in the Linux kernel allowed\n local users to obtain potentially sensitive information\n from kernel memory or cause a denial of service (system\n crash) via a taskstats TASKSTATS_CMD_ATTR_PID command.\n (CVE-2012-3510)\n\n - The user_update function in security/keys/user_defined.c\n in the Linux kernel 2.6 allowed local users to cause a\n denial of service (NULL pointer dereference and kernel\n oops) via vectors related to a user-defined key and\n updating a negative key into a fully instantiated key.\n (CVE-2011-4110)\n\n - The ib_uverbs_poll_cq function in\n drivers/infiniband/core/uverbs_cmd.c in the Linux kernel\n did not initialize a certain response buffer, which\n allowed local users to obtain potentially sensitive\n information from kernel memory via vectors that cause\n this buffer to be only partially filled, a different\n vulnerability than CVE-2010-4649. (CVE-2011-1044)\n\n - Heap-based buffer overflow in the udf_load_logicalvol\n function in fs/udf/super.c in the Linux kernel allowed\n remote attackers to cause a denial of service (system\n crash) or possibly have unspecified other impact via a\n crafted UDF filesystem. (CVE-2012-3400)\n\n - The sock_alloc_send_pskb function in net/core/sock.c in\n the Linux kernel did not properly validate a certain\n length value, which allowed local users to cause a\n denial of service (heap-based buffer overflow and system\n crash) or possibly gain privileges by leveraging access\n to a TUN/TAP device. (CVE-2012-2136)\n\n - A small denial of service leak in dropping syn+fin\n messages was fixed. (CVE-2012-2663)\n\nThe following non-security issues have been fixed :\n\nPackaging :\n\n - kbuild: Fix gcc -x syntax (bnc#773831). NFS :\n\n - knfsd: An assortment of little fixes to the sunrpc cache\n code. (bnc#767766)\n\n - knfsd: Unexport cache_fresh and fix a small race.\n (bnc#767766)\n\n - knfsd: nfsd: do not drop silently on upcall deferral.\n (bnc#767766)\n\n - knfsd: svcrpc: remove another silent drop from deferral\n code. (bnc#767766)\n\n - sunrpc/cache: simplify cache_fresh_locked and\n cache_fresh_unlocked. (bnc#767766)\n\n - sunrpc/cache: recheck cache validity after\n cache_defer_req. (bnc#767766)\n\n - sunrpc/cache: use list_del_init for the list_head\n entries in cache_deferred_req. (bnc#767766)\n\n - sunrpc/cache: avoid variable over-loading in\n cache_defer_req. (bnc#767766)\n\n - sunrpc/cache: allow thread to block while waiting for\n cache update. (bnc#767766)\n\n - sunrpc/cache: Fix race in sunrpc/cache introduced by\n patch to allow thread to block while waiting for cache\n update. (bnc#767766)\n\n - sunrpc/cache: Another fix for race problem with sunrpc\n cache deferal. (bnc#767766)\n\n - knfsd: nfsd: make all exp_finding functions return\n -errnos on err. (bnc#767766)\n\n - Fix kabi breakage in previous nfsd patch series.\n (bnc#767766)\n\n - nfsd: Work around incorrect return type for\n wait_for_completion_interruptible_timeout. (bnc#767766)\n\n - nfs: Fix a potential file corruption issue when writing.\n (bnc#773272)\n\n - nfs: Allow sync writes to be multiple pages.\n (bnc#763526)\n\n - nfs: fix reference counting for NFSv4 callback thread.\n (bnc#767504)\n\n - nfs: flush signals before taking down callback thread.\n (bnc#767504)\n\n - nfsv4: Ensure nfs_callback_down() calls svc_destroy()\n (bnc#767504). SCSI :\n\n - SCSI/ch: Check NULL for kmalloc() return. (bnc#783058)\n\n - drivers/scsi/aic94xx/aic94xx_init.c: correct the size\n argument to kmalloc. (bnc#783058)\n\n - block: fail SCSI passthrough ioctls on partition\n devices. (bnc#738400)\n\n - dm: do not forward ioctls from logical volumes to the\n underlying device. (bnc#738400)\n\n - vmware: Fix VMware hypervisor detection (bnc#777575,\n bnc#770507). S/390 :\n\n - lgr: Make lgr_page static (bnc#772409,LTC#83520).\n\n - zfcp: Fix oops in _blk_add_trace()\n (bnc#772409,LTC#83510).\n\n - kernel: Add z/VM LGR detection (bnc#767277,LTC#RAS1203).\n\n - be2net: Fix EEH error reset before a flash dump\n completes. (bnc#755546)\n\n - mptfusion: fix msgContext in mptctl_hp_hostinfo.\n (bnc#767939)\n\n - PCI: Fix bus resource assignment on 32 bits with 64b\n resources. . (bnc#762581)\n\n - PCI: fix up setup-bus.c #ifdef. (bnc#762581)\n\n - x86: powernow-k8: Fix indexing issue. (bnc#758985)\n\n - net: Fix race condition about network device name\n allocation. (bnc#747576)\n\nXEN :\n\n - smpboot: adjust ordering of operations.\n\n - xen/x86-64: provide a memset() that can deal with 4Gb or\n above at a time. (bnc#738528)\n\n - xen: fix VM_FOREIGN users after c/s 878:eba6fe6d8d53.\n (bnc#760974)\n\n - xen/gntdev: fix multi-page slot allocation. (bnc#760974)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-4649.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-1044.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-2494.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-4110.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2012-2136.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2012-2663.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2012-2744.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2012-3400.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2012-3510.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 8325.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/10/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/10/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 10 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED10\", sp:4, cpu:\"i586\", reference:\"kernel-bigsmp-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:4, cpu:\"i586\", reference:\"kernel-default-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:4, cpu:\"i586\", reference:\"kernel-smp-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:4, cpu:\"i586\", reference:\"kernel-source-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:4, cpu:\"i586\", reference:\"kernel-syms-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:4, cpu:\"i586\", reference:\"kernel-xen-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:4, cpu:\"i586\", reference:\"kernel-xenpae-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, cpu:\"i586\", reference:\"kernel-bigsmp-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, cpu:\"i586\", reference:\"kernel-debug-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, cpu:\"i586\", reference:\"kernel-default-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, cpu:\"i586\", reference:\"kernel-kdump-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, cpu:\"i586\", reference:\"kernel-kdumppae-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, cpu:\"i586\", reference:\"kernel-smp-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, cpu:\"i586\", reference:\"kernel-source-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, cpu:\"i586\", reference:\"kernel-syms-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, cpu:\"i586\", reference:\"kernel-vmi-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, cpu:\"i586\", reference:\"kernel-vmipae-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, cpu:\"i586\", reference:\"kernel-xen-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:4, cpu:\"i586\", reference:\"kernel-xenpae-2.6.16.60-0.99.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-01-11T14:55:53", "description": "This Linux kernel update fixes various security issues and bugs in the SUSE Linux Enterprise 10 SP4 kernel.\n\nThe following security issues have been fixed :\n\nCVE-2011-2494: kernel/taskstats.c in the Linux kernel allowed local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another users password (a side channel attack).\n\nCVE-2012-2744: net/ipv6/netfilter/nf_conntrack_reasm.c in the Linux kernel, when the nf_conntrack_ipv6 module is enabled, allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) via certain types of fragmented IPv6 packets.\n\nCVE-2012-3510: Use-after-free vulnerability in the xacct_add_tsk function in kernel/tsacct.c in the Linux kernel allowed local users to obtain potentially sensitive information from kernel memory or cause a denial of service (system crash) via a taskstats TASKSTATS_CMD_ATTR_PID command.\n\nCVE-2011-4110: The user_update function in security/keys/user_defined.c in the Linux kernel 2.6 allowed local users to cause a denial of service (NULL pointer dereference and kernel oops) via vectors related to a user-defined key and updating a negative key into a fully instantiated key.\n\nCVE-2011-1044: The ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel did not initialize a certain response buffer, which allowed local users to obtain potentially sensitive information from kernel memory via vectors that cause this buffer to be only partially filled, a different vulnerability than CVE-2010-4649.\n\nCVE-2012-3400: Heap-based buffer overflow in the udf_load_logicalvol function in fs/udf/super.c in the Linux kernel allowed remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted UDF filesystem.\n\nCVE-2012-2136: The sock_alloc_send_pskb function in net/core/sock.c in the Linux kernel did not properly validate a certain length value, which allowed local users to cause a denial of service (heap-based buffer overflow and system crash) or possibly gain privileges by leveraging access to a TUN/TAP device.\n\nCVE-2012-2663: A small denial of service leak in dropping syn+fin messages was fixed.\n\nThe following non-security issues have been fixed :\n\nPackaging :\n\n - kbuild: Fix gcc -x syntax (bnc#773831).\n\nNFS :\n\n - knfsd: An assortment of little fixes to the sunrpc cache code (bnc#767766).\n\n - knfsd: Unexport cache_fresh and fix a small race (bnc#767766).\n\n - knfsd: nfsd: do not drop silently on upcall deferral (bnc#767766).\n\n - knfsd: svcrpc: remove another silent drop from deferral code (bnc#767766).\n\n - sunrpc/cache: simplify cache_fresh_locked and cache_fresh_unlocked (bnc#767766).\n\n - sunrpc/cache: recheck cache validity after cache_defer_req (bnc#767766).\n\n - sunrpc/cache: use list_del_init for the list_head entries in cache_deferred_req (bnc#767766).\n\n - sunrpc/cache: avoid variable over-loading in cache_defer_req (bnc#767766).\n\n - sunrpc/cache: allow thread to block while waiting for cache update (bnc#767766).\n\n - sunrpc/cache: Fix race in sunrpc/cache introduced by patch to allow thread to block while waiting for cache update (bnc#767766).\n\n - sunrpc/cache: Another fix for race problem with sunrpc cache deferal (bnc#767766).\n\n - knfsd: nfsd: make all exp_finding functions return\n\n-errnos on err (bnc#767766).\n\n - Fix kabi breakage in previous nfsd patch series (bnc#767766).\n\n - nfsd: Work around incorrect return type for wait_for_completion_interruptible_timeout (bnc#767766).\n\n - nfs: Fix a potential file corruption issue when writing (bnc#773272).\n\n - nfs: Allow sync writes to be multiple pages (bnc#763526).\n\n - nfs: fix reference counting for NFSv4 callback thread (bnc#767504).\n\n - nfs: flush signals before taking down callback thread (bnc#767504).\n\n - nfsv4: Ensure nfs_callback_down() calls svc_destroy() (bnc#767504).\n\nSCSI :\n\n - SCSI/ch: Check NULL for kmalloc() return (bnc#783058).\n drivers/scsi/aic94xx/aic94xx_init.c: correct the size argument to kmalloc (bnc#783058).\n\n block: fail SCSI passthrough ioctls on partition devices (bnc#738400).\n\n dm: do not forward ioctls from logical volumes to the underlying device (bnc#738400).\n\n vmware: Fix VMware hypervisor detection (bnc#777575, bnc#770507).\n\nS/390 :\n\n - lgr: Make lgr_page static (bnc#772409,LTC#83520).\n\n - zfcp: Fix oops in _blk_add_trace() (bnc#772409,LTC#83510). kernel: Add z/VM LGR detection (bnc#767277,LTC#RAS1203).\n\n be2net: Fix EEH error reset before a flash dump completes (bnc#755546).\n\n - mptfusion: fix msgContext in mptctl_hp_hostinfo (bnc#767939).\n\n - PCI: Fix bus resource assignment on 32 bits with 64b resources. (bnc#762581)\n\n - PCI: fix up setup-bus.c #ifdef. (bnc#762581) x86:\n powernow-k8: Fix indexing issue (bnc#758985).\n\n net: Fix race condition about network device name allocation (bnc#747576).\n\nXEN :\n\n - smpboot: adjust ordering of operations.\n\n - xen/x86-64: provide a memset() that can deal with 4Gb or above at a time (bnc#738528).\n\n - xen: fix VM_FOREIGN users after c/s 878:eba6fe6d8d53 (bnc#760974).\n\n - xen/gntdev: fix multi-page slot allocation (bnc#760974).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2015-05-20T00:00:00", "type": "nessus", "title": "SUSE SLED10 / SLES10 Security Update : kernel (SUSE-SU-2012:1391-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4649", "CVE-2011-1044", "CVE-2011-2494", "CVE-2011-4110", "CVE-2012-2136", "CVE-2012-2663", "CVE-2012-2744", "CVE-2012-3400", "CVE-2012-3510"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:kernel-bigsmp", "p-cpe:/a:novell:suse_linux:kernel-debug", "p-cpe:/a:novell:suse_linux:kernel-default", "p-cpe:/a:novell:suse_linux:kernel-kdump", "p-cpe:/a:novell:suse_linux:kernel-kdumppae", "p-cpe:/a:novell:suse_linux:kernel-smp", "p-cpe:/a:novell:suse_linux:kernel-source", "p-cpe:/a:novell:suse_linux:kernel-syms", "p-cpe:/a:novell:suse_linux:kernel-vmi", "p-cpe:/a:novell:suse_linux:kernel-vmipae", "p-cpe:/a:novell:suse_linux:kernel-xen", "p-cpe:/a:novell:suse_linux:kernel-xenpae", "cpe:/o:novell:suse_linux:10"], "id": "SUSE_SU-2012-1391-1.NASL", "href": "https://www.tenable.com/plugins/nessus/83563", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2012:1391-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(83563);\n script_version(\"2.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2010-4649\", \"CVE-2011-1044\", \"CVE-2011-2494\", \"CVE-2011-4110\", \"CVE-2012-2136\", \"CVE-2012-2663\", \"CVE-2012-2744\", \"CVE-2012-3400\", \"CVE-2012-3510\");\n script_bugtraq_id(46073, 46488, 50314, 50755, 53721, 53733, 54279, 54367, 55144);\n\n script_name(english:\"SUSE SLED10 / SLES10 Security Update : kernel (SUSE-SU-2012:1391-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This Linux kernel update fixes various security issues and bugs in the\nSUSE Linux Enterprise 10 SP4 kernel.\n\nThe following security issues have been fixed :\n\nCVE-2011-2494: kernel/taskstats.c in the Linux kernel allowed local\nusers to obtain sensitive I/O statistics by sending taskstats commands\nto a netlink socket, as demonstrated by discovering the length of\nanother users password (a side channel attack).\n\nCVE-2012-2744: net/ipv6/netfilter/nf_conntrack_reasm.c in\nthe Linux kernel, when the nf_conntrack_ipv6 module is\nenabled, allowed remote attackers to cause a denial of\nservice (NULL pointer dereference and system crash) via\ncertain types of fragmented IPv6 packets.\n\nCVE-2012-3510: Use-after-free vulnerability in the\nxacct_add_tsk function in kernel/tsacct.c in the Linux\nkernel allowed local users to obtain potentially sensitive\ninformation from kernel memory or cause a denial of service\n(system crash) via a taskstats TASKSTATS_CMD_ATTR_PID\ncommand.\n\nCVE-2011-4110: The user_update function in\nsecurity/keys/user_defined.c in the Linux kernel 2.6 allowed\nlocal users to cause a denial of service (NULL pointer\ndereference and kernel oops) via vectors related to a\nuser-defined key and updating a negative key into a fully\ninstantiated key.\n\nCVE-2011-1044: The ib_uverbs_poll_cq function in\ndrivers/infiniband/core/uverbs_cmd.c in the Linux kernel did\nnot initialize a certain response buffer, which allowed\nlocal users to obtain potentially sensitive information from\nkernel memory via vectors that cause this buffer to be only\npartially filled, a different vulnerability than\nCVE-2010-4649.\n\nCVE-2012-3400: Heap-based buffer overflow in the\nudf_load_logicalvol function in fs/udf/super.c in the Linux\nkernel allowed remote attackers to cause a denial of service\n(system crash) or possibly have unspecified other impact via\na crafted UDF filesystem.\n\nCVE-2012-2136: The sock_alloc_send_pskb function in\nnet/core/sock.c in the Linux kernel did not properly\nvalidate a certain length value, which allowed local users\nto cause a denial of service (heap-based buffer overflow and\nsystem crash) or possibly gain privileges by leveraging\naccess to a TUN/TAP device.\n\nCVE-2012-2663: A small denial of service leak in dropping\nsyn+fin messages was fixed.\n\nThe following non-security issues have been fixed :\n\nPackaging :\n\n - kbuild: Fix gcc -x syntax (bnc#773831).\n\nNFS :\n\n - knfsd: An assortment of little fixes to the sunrpc cache\n code (bnc#767766).\n\n - knfsd: Unexport cache_fresh and fix a small race\n (bnc#767766).\n\n - knfsd: nfsd: do not drop silently on upcall deferral\n (bnc#767766).\n\n - knfsd: svcrpc: remove another silent drop from deferral\n code (bnc#767766).\n\n - sunrpc/cache: simplify cache_fresh_locked and\n cache_fresh_unlocked (bnc#767766).\n\n - sunrpc/cache: recheck cache validity after\n cache_defer_req (bnc#767766).\n\n - sunrpc/cache: use list_del_init for the list_head\n entries in cache_deferred_req (bnc#767766).\n\n - sunrpc/cache: avoid variable over-loading in\n cache_defer_req (bnc#767766).\n\n - sunrpc/cache: allow thread to block while waiting for\n cache update (bnc#767766).\n\n - sunrpc/cache: Fix race in sunrpc/cache introduced by\n patch to allow thread to block while waiting for cache\n update (bnc#767766).\n\n - sunrpc/cache: Another fix for race problem with sunrpc\n cache deferal (bnc#767766).\n\n - knfsd: nfsd: make all exp_finding functions return\n\n-errnos on err (bnc#767766).\n\n - Fix kabi breakage in previous nfsd patch series\n (bnc#767766).\n\n - nfsd: Work around incorrect return type for\n wait_for_completion_interruptible_timeout (bnc#767766).\n\n - nfs: Fix a potential file corruption issue when writing\n (bnc#773272).\n\n - nfs: Allow sync writes to be multiple pages\n (bnc#763526).\n\n - nfs: fix reference counting for NFSv4 callback thread\n (bnc#767504).\n\n - nfs: flush signals before taking down callback thread\n (bnc#767504).\n\n - nfsv4: Ensure nfs_callback_down() calls svc_destroy()\n (bnc#767504).\n\nSCSI :\n\n - SCSI/ch: Check NULL for kmalloc() return (bnc#783058).\n drivers/scsi/aic94xx/aic94xx_init.c: correct the size\n argument to kmalloc (bnc#783058).\n\n block: fail SCSI passthrough ioctls on partition devices\n (bnc#738400).\n\n dm: do not forward ioctls from logical volumes to the\n underlying device (bnc#738400).\n\n vmware: Fix VMware hypervisor detection (bnc#777575,\n bnc#770507).\n\nS/390 :\n\n - lgr: Make lgr_page static (bnc#772409,LTC#83520).\n\n - zfcp: Fix oops in _blk_add_trace()\n (bnc#772409,LTC#83510). kernel: Add z/VM LGR detection\n (bnc#767277,LTC#RAS1203).\n\n be2net: Fix EEH error reset before a flash dump\n completes (bnc#755546).\n\n - mptfusion: fix msgContext in mptctl_hp_hostinfo\n (bnc#767939).\n\n - PCI: Fix bus resource assignment on 32 bits with 64b\n resources. (bnc#762581)\n\n - PCI: fix up setup-bus.c #ifdef. (bnc#762581) x86:\n powernow-k8: Fix indexing issue (bnc#758985).\n\n net: Fix race condition about network device name\n allocation (bnc#747576).\n\nXEN :\n\n - smpboot: adjust ordering of operations.\n\n - xen/x86-64: provide a memset() that can deal with 4Gb or\n above at a time (bnc#738528).\n\n - xen: fix VM_FOREIGN users after c/s 878:eba6fe6d8d53\n (bnc#760974).\n\n - xen/gntdev: fix multi-page slot allocation (bnc#760974).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # http://download.suse.com/patch/finder/?keywords=118cf41af33f48911c473f3bd88c74a8\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?78b77189\"\n );\n # http://download.suse.com/patch/finder/?keywords=1d5bd8295622191606c935851bd82ff9\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?de8841aa\"\n );\n # http://download.suse.com/patch/finder/?keywords=3b3320a96f49fe4615b35ba22bb6cbf3\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b107d19c\"\n );\n # http://download.suse.com/patch/finder/?keywords=9dc087603b172b449aa9a07b548bf3cf\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?96b149b9\"\n );\n # http://download.suse.com/patch/finder/?keywords=c77cfcc87d8e54df006cb42c12c2fadb\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?662e8c98\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-1044.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-4110.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2012-2136.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2012-2663.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2012-2744.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2012-3510.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/674284\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/703156\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/734056\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/738400\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/738528\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/747576\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/755546\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/758985\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/760974\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/762581\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/763526\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/765102\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/765320\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/767277\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/767504\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/767766\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/767939\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/769784\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/770507\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/770697\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/772409\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/773272\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/773831\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/776888\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/777575\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/783058\"\n );\n # https://www.suse.com/support/update/announcement/2012/suse-su-20121391-1.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a7170536\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel packages\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-bigsmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-kdump\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-kdumppae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-smp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-vmi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-vmipae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xenpae\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/10/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/05/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLED10|SLES10)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED10 / SLES10\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLED10\" && (! ereg(pattern:\"^4$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED10 SP4\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLES10\" && (! ereg(pattern:\"^4$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES10 SP4\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLED10\", sp:\"4\", cpu:\"x86_64\", reference:\"kernel-default-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:\"4\", cpu:\"x86_64\", reference:\"kernel-smp-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:\"4\", cpu:\"x86_64\", reference:\"kernel-source-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:\"4\", cpu:\"x86_64\", reference:\"kernel-syms-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:\"4\", cpu:\"x86_64\", reference:\"kernel-xen-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:\"4\", cpu:\"x86_64\", reference:\"kernel-bigsmp-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:\"4\", cpu:\"x86_64\", reference:\"kernel-xenpae-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:\"4\", cpu:\"i586\", reference:\"kernel-default-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:\"4\", cpu:\"i586\", reference:\"kernel-smp-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:\"4\", cpu:\"i586\", reference:\"kernel-source-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:\"4\", cpu:\"i586\", reference:\"kernel-syms-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:\"4\", cpu:\"i586\", reference:\"kernel-xen-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:\"4\", cpu:\"i586\", reference:\"kernel-bigsmp-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:\"4\", cpu:\"i586\", reference:\"kernel-xenpae-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:\"4\", cpu:\"x86_64\", reference:\"kernel-debug-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:\"4\", cpu:\"x86_64\", reference:\"kernel-kdump-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:\"4\", cpu:\"x86_64\", reference:\"kernel-smp-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:\"4\", cpu:\"x86_64\", reference:\"kernel-xen-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:\"4\", cpu:\"x86_64\", reference:\"kernel-bigsmp-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:\"4\", cpu:\"x86_64\", reference:\"kernel-kdumppae-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:\"4\", cpu:\"x86_64\", reference:\"kernel-vmi-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:\"4\", cpu:\"x86_64\", reference:\"kernel-vmipae-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:\"4\", cpu:\"x86_64\", reference:\"kernel-xenpae-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:\"4\", reference:\"kernel-default-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:\"4\", reference:\"kernel-source-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:\"4\", reference:\"kernel-syms-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:\"4\", cpu:\"i586\", reference:\"kernel-debug-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:\"4\", cpu:\"i586\", reference:\"kernel-kdump-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:\"4\", cpu:\"i586\", reference:\"kernel-smp-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:\"4\", cpu:\"i586\", reference:\"kernel-xen-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:\"4\", cpu:\"i586\", reference:\"kernel-bigsmp-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:\"4\", cpu:\"i586\", reference:\"kernel-kdumppae-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:\"4\", cpu:\"i586\", reference:\"kernel-vmi-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:\"4\", cpu:\"i586\", reference:\"kernel-vmipae-2.6.16.60-0.99.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:\"4\", cpu:\"i586\", reference:\"kernel-xenpae-2.6.16.60-0.99.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-01-18T14:40:15", "description": "An updated rhev-hypervisor package that fixes one security issue and several bugs is now available.\n\nThe Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe rhev-hypervisor package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: A subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent.\n\nNote: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions.\n\nA flaw was found that allowed napi_reuse_skb() to be called on VLAN (virtual LAN) packets. An attacker on the local network could trigger this flaw by sending specially crafted packets to a target system, possibly causing a denial of service. (CVE-2011-1576)\n\nRed Hat would like to thank Ryan Sweat for reporting CVE-2011-1576.\n\nThis updated package provides updated components that include fixes for security issues; however, these issues have no security impact for Red Hat Enterprise Virtualization Hypervisor. These fixes are for bash issue CVE-2008-5374; curl issue CVE-2011-2192; kernel issues CVE-2010-4649, CVE-2011-0695, CVE-2011-0711, CVE-2011-1044, CVE-2011-1182, CVE-2011-1573, CVE-2011-1593, CVE-2011-1745, CVE-2011-1746, CVE-2011-1776, CVE-2011-1780, CVE-2011-1936, CVE-2011-2022, CVE-2011-2213, CVE-2011-2492, CVE-2011-2525, and CVE-2011-2689; libvirt issue CVE-2011-2511; and rsync issue CVE-2007-6200.\n\nThis update also fixes several bugs. Documentation for these bug fixes will be available shortly from the Technical Notes document linked to in the References section.\n\nAs Red Hat Enterprise Virtualization Hypervisor is based on KVM, the bug fixes from the KVM update RHBA-2011:1068 have been included in this update :\n\nhttps://rhn.redhat.com/errata/RHBA-2011-1068.html\n\nUsers of Red Hat Enterprise Virtualization Hypervisor are advised to upgrade to this updated package, which resolves this issue and fixes the bugs noted in the Technical Notes.", "cvss3": {}, "published": "2014-11-17T00:00:00", "type": "nessus", "title": "RHEL 5 : rhev-hypervisor (RHSA-2011:1090)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 5.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 5.7, "vectorString": "AV:A/AC:M/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-6200", "CVE-2008-5374", "CVE-2010-4649", "CVE-2011-0695", "CVE-2011-0711", "CVE-2011-1044", "CVE-2011-1182", "CVE-2011-1573", "CVE-2011-1576", "CVE-2011-1593", "CVE-2011-1745", "CVE-2011-1746", "CVE-2011-1776", "CVE-2011-1780", "CVE-2011-1936", "CVE-2011-2022", "CVE-2011-2192", "CVE-2011-2213", "CVE-2011-2492", "CVE-2011-2511", "CVE-2011-2525", "CVE-2011-2689"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:rhev-hypervisor", "cpe:/o:redhat:enterprise_linux:5"], "id": "REDHAT-RHSA-2011-1090.NASL", "href": "https://www.tenable.com/plugins/nessus/79279", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2011:1090. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(79279);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2011-1576\");\n script_xref(name:\"RHSA\", value:\"2011:1090\");\n\n script_name(english:\"RHEL 5 : rhev-hypervisor (RHSA-2011:1090)\");\n script_summary(english:\"Checks the rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An updated rhev-hypervisor package that fixes one security issue and\nseveral bugs is now available.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from\nthe CVE link in the References section.\n\nThe rhev-hypervisor package provides a Red Hat Enterprise\nVirtualization Hypervisor ISO disk image. The Red Hat Enterprise\nVirtualization Hypervisor is a dedicated Kernel-based Virtual Machine\n(KVM) hypervisor. It includes everything necessary to run and manage\nvirtual machines: A subset of the Red Hat Enterprise Linux operating\nenvironment and the Red Hat Enterprise Virtualization Agent.\n\nNote: Red Hat Enterprise Virtualization Hypervisor is only available\nfor the Intel 64 and AMD64 architectures with virtualization\nextensions.\n\nA flaw was found that allowed napi_reuse_skb() to be called on VLAN\n(virtual LAN) packets. An attacker on the local network could trigger\nthis flaw by sending specially crafted packets to a target system,\npossibly causing a denial of service. (CVE-2011-1576)\n\nRed Hat would like to thank Ryan Sweat for reporting CVE-2011-1576.\n\nThis updated package provides updated components that include fixes\nfor security issues; however, these issues have no security impact for\nRed Hat Enterprise Virtualization Hypervisor. These fixes are for bash\nissue CVE-2008-5374; curl issue CVE-2011-2192; kernel issues\nCVE-2010-4649, CVE-2011-0695, CVE-2011-0711, CVE-2011-1044,\nCVE-2011-1182, CVE-2011-1573, CVE-2011-1593, CVE-2011-1745,\nCVE-2011-1746, CVE-2011-1776, CVE-2011-1780, CVE-2011-1936,\nCVE-2011-2022, CVE-2011-2213, CVE-2011-2492, CVE-2011-2525, and\nCVE-2011-2689; libvirt issue CVE-2011-2511; and rsync issue\nCVE-2007-6200.\n\nThis update also fixes several bugs. Documentation for these bug fixes\nwill be available shortly from the Technical Notes document linked to\nin the References section.\n\nAs Red Hat Enterprise Virtualization Hypervisor is based on KVM, the\nbug fixes from the KVM update RHBA-2011:1068 have been included in\nthis update :\n\nhttps://rhn.redhat.com/errata/RHBA-2011-1068.html\n\nUsers of Red Hat Enterprise Virtualization Hypervisor are advised to\nupgrade to this updated package, which resolves this issue and fixes\nthe bugs noted in the Technical Notes.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-1576\"\n );\n # https://docs.redhat.com/docs/en-US/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/documentation/en-US/\"\n );\n # https://rhn.redhat.com/errata/RHBA-2011-1068.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHBA-2011:1068\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2011:1090\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected rhev-hypervisor package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:M/Au:N/C:N/I:N/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rhev-hypervisor\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/08/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/07/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/11/17\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2011:1090\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", reference:\"rhev-hypervisor-5.7-20110725.1.el5\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"rhev-hypervisor\");\n }\n}\n", "cvss": {"score": 5.7, "vector": "AV:A/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-01-11T14:34:09", "description": "Aristide Fattori and Roberto Paleari reported a flaw in the Linux kernel's handling of IPv4 icmp packets. A remote user could exploit this to cause a denial of service. (CVE-2011-1927)\n\nGoldwyn Rodrigues discovered that the OCFS2 filesystem did not correctly clear memory when writing certain file holes. A local attacker could exploit this to read uninitialized data from the disk, leading to a loss of privacy. (CVE-2011-0463)\n\nTimo Warns discovered that the LDM disk partition handling code did not correctly handle certain values. By inserting a specially crafted disk device, a local attacker could exploit this to gain root privileges. (CVE-2011-1017)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly clear memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1078)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly check that device name strings were NULL terminated. A local attacker could exploit this to crash the system, leading to a denial of service, or leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1079)\n\nVasiliy Kulikov discovered that bridge network filtering did not check that name fields were NULL terminated. A local attacker could exploit this to leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1080)\n\nJohan Hovold discovered that the DCCP network stack did not correctly handle certain packet combinations. A remote attacker could send specially crafted network traffic that would crash the system, leading to a denial of service. (CVE-2011-1093)\n\nPeter Huewe discovered that the TPM device did not correctly initialize memory. A local attacker could exploit this to read kernel heap memory contents, leading to a loss of privacy. (CVE-2011-1160)\n\nVasiliy Kulikov discovered that the netfilter code did not check certain strings copied from userspace. A local attacker with netfilter access could exploit this to read kernel memory or crash the system, leading to a denial of service. (CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-2534)\n\nVasiliy Kulikov discovered that the Acorn Universal Networking driver did not correctly initialize memory. A remote attacker could send specially crafted traffic to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1173)\n\nDan Rosenberg discovered that the IRDA subsystem did not correctly check certain field sizes. If a system was using IRDA, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-1180)\n\nDan Rosenberg reported errors in the OSS (Open Sound System) MIDI interface. A local attacker on non-x86 systems might be able to cause a denial of service. (CVE-2011-1476)\n\nDan Rosenberg reported errors in the kernel's OSS (Open Sound System) driver for Yamaha FM synthesizer chips. A local user can exploit this to cause memory corruption, causing a denial of service or privilege escalation. (CVE-2011-1477)\n\nIt was discovered that the security fix for CVE-2010-4250 introduced a regression. A remote attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-1479)\n\nDan Rosenberg discovered that MPT devices did not correctly validate certain values in ioctl calls. If these drivers were loaded, a local attacker could exploit this to read arbitrary kernel memory, leading to a loss of privacy. (CVE-2011-1494, CVE-2011-1495)\n\nTavis Ormandy discovered that the pidmap function did not correctly handle large requests. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-1593)\n\nOliver Hartkopp and Dave Jones discovered that the CAN network driver did not correctly validate certain socket structures. If this driver was loaded, a local attacker could crash the system, leading to a denial of service. (CVE-2011-1598, CVE-2011-1748)\n\nVasiliy Kulikov discovered that the AGP driver did not check certain ioctl values. A local attacker with access to the video subsystem could exploit this to crash the system, leading to a denial of service, or possibly gain root privileges. (CVE-2011-1745, CVE-2011-2022)\n\nVasiliy Kulikov discovered that the AGP driver did not check the size of certain memory allocations. A local attacker with access to the video subsystem could exploit this to run the system out of memory, leading to a denial of service. (CVE-2011-1746)\n\nDan Rosenberg reported an error in the old ABI compatibility layer of ARM kernels. A local attacker could exploit this flaw to cause a denial of service or gain root privileges. (CVE-2011-1759)\n\nDan Rosenberg discovered that the DCCP stack did not correctly handle certain packet structures. A remote attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-1770)\n\nBen Greear discovered that CIFS did not correctly handle direct I/O. A local attacker with access to a CIFS partition could exploit this to crash the system, leading to a denial of service. (CVE-2011-1771)\n\nTimo Warns discovered that the EFI GUID partition table was not correctly parsed. A physically local attacker that could insert mountable devices could exploit this to crash the system or possibly gain root privileges. (CVE-2011-1776)\n\nIt was discovered that an mmap() call with the MAP_PRIVATE flag on '/dev/zero' was incorrectly handled. A local attacker could exploit this to crash the system, leading to a denial of service.\n(CVE-2011-2479)\n\nRobert Swiecki discovered that mapping extensions were incorrectly handled. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2496)\n\nThe linux kernel did not properly account for PTE pages when deciding which task to kill in out of memory conditions. A local, unprivileged could exploit this flaw to cause a denial of service. (CVE-2011-2498)\n\nA flaw was found in the b43 driver in the Linux kernel. An attacker could use this flaw to cause a denial of service if the system has an active wireless interface using the b43 driver. (CVE-2011-3359)\n\nYogesh Sharma discovered that CIFS did not correctly handle UNCs that had no prefixpaths. A local attacker with access to a CIFS partition could exploit this to crash the system, leading to a denial of service. (CVE-2011-3363)\n\nDan Rosenberg discovered flaws in the linux Rose (X.25 PLP) layer used by amateur radio. A local user or a remote user on an X.25 network could exploit these flaws to execute arbitrary code as root.\n(CVE-2011-4913).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2011-07-14T00:00:00", "type": "nessus", "title": "Ubuntu 11.04 : linux vulnerabilities (USN-1167-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3859", "CVE-2010-3874", "CVE-2010-3875", "CVE-2010-3876", "CVE-2010-3877", "CVE-2010-3880", "CVE-2010-4158", "CVE-2010-4162", "CVE-2010-4163", "CVE-2010-4164", "CVE-2010-4165", "CVE-2010-4169", "CVE-2010-4175", "CVE-2010-4243", "CVE-2010-4248", "CVE-2010-4249", "CVE-2010-4250", "CVE-2010-4256", "CVE-2010-4258", "CVE-2010-4342", "CVE-2010-4346", "CVE-2010-4527", "CVE-2010-4529", "CVE-2010-4565", "CVE-2010-4649", "CVE-2010-4668", "CVE-2011-0463", "CVE-2011-0521", "CVE-2011-0695", "CVE-2011-0711", "CVE-2011-0712", "CVE-2011-0726", "CVE-2011-0999", "CVE-2011-1010", "CVE-2011-1012", "CVE-2011-1013", "CVE-2011-1016", "CVE-2011-1017", "CVE-2011-1019", "CVE-2011-1044", "CVE-2011-1076", "CVE-2011-1078", "CVE-2011-1079", "CVE-2011-1080", "CVE-2011-1082", "CVE-2011-1083", "CVE-2011-1090", "CVE-2011-1093", "CVE-2011-1160", "CVE-2011-1163", "CVE-2011-1169", "CVE-2011-1170", "CVE-2011-1171", "CVE-2011-1172", "CVE-2011-1173", "CVE-2011-1180", "CVE-2011-1182", "CVE-2011-1476", "CVE-2011-1477", "CVE-2011-1479", "CVE-2011-1494", "CVE-2011-1495", "CVE-2011-1593", "CVE-2011-1598", "CVE-2011-1745", "CVE-2011-1746", "CVE-2011-1747", "CVE-2011-1748", "CVE-2011-1759", "CVE-2011-1770", "CVE-2011-1771", "CVE-2011-1776", "CVE-2011-1927", "CVE-2011-2022", "CVE-2011-2479", "CVE-2011-2496", "CVE-2011-2498", "CVE-2011-2534", "CVE-2011-3359", "CVE-2011-3363", "CVE-2011-4913"], "modified": "2020-02-26T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic-pae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-server", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-versatile", "p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-virtual", "cpe:/o:canonical:ubuntu_linux:11.04"], "id": "UBUNTU_USN-1167-1.NASL", "href": "https://www.tenable.com/plugins/nessus/55591", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-1167-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(55591);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/02/26\");\n\n script_cve_id(\"CVE-2010-3859\", \"CVE-2010-3874\", \"CVE-2010-3875\", \"CVE-2010-3876\", \"CVE-2010-3877\", \"CVE-2010-3880\", \"CVE-2010-4158\", \"CVE-2010-4162\", \"CVE-2010-4163\", \"CVE-2010-4164\", \"CVE-2010-4165\", \"CVE-2010-4169\", \"CVE-2010-4175\", \"CVE-2010-4243\", \"CVE-2010-4248\", \"CVE-2010-4249\", \"CVE-2010-4250\", \"CVE-2010-4256\", \"CVE-2010-4258\", \"CVE-2010-4342\", \"CVE-2010-4346\", \"CVE-2010-4527\", \"CVE-2010-4529\", \"CVE-2010-4565\", \"CVE-2010-4649\", \"CVE-2010-4668\", \"CVE-2011-0463\", \"CVE-2011-0521\", \"CVE-2011-0695\", \"CVE-2011-0711\", \"CVE-2011-0712\", \"CVE-2011-0726\", \"CVE-2011-0999\", \"CVE-2011-1010\", \"CVE-2011-1012\", \"CVE-2011-1013\", \"CVE-2011-1016\", \"CVE-2011-1017\", \"CVE-2011-1019\", \"CVE-2011-1044\", \"CVE-2011-1076\", \"CVE-2011-1078\", \"CVE-2011-1079\", \"CVE-2011-1080\", \"CVE-2011-1082\", \"CVE-2011-1083\", \"CVE-2011-1090\", \"CVE-2011-1093\", \"CVE-2011-1160\", \"CVE-2011-1163\", \"CVE-2011-1169\", \"CVE-2011-1170\", \"CVE-2011-1171\", \"CVE-2011-1172\", \"CVE-2011-1173\", \"CVE-2011-1180\", \"CVE-2011-1182\", \"CVE-2011-1476\", \"CVE-2011-1477\", \"CVE-2011-1479\", \"CVE-2011-1494\", \"CVE-2011-1495\", \"CVE-2011-1593\", \"CVE-2011-1598\", \"CVE-2011-1745\", \"CVE-2011-1746\", \"CVE-2011-1747\", \"CVE-2011-1748\", \"CVE-2011-1759\", \"CVE-2011-1770\", \"CVE-2011-1771\", \"CVE-2011-1776\", \"CVE-2011-1927\", \"CVE-2011-2022\", \"CVE-2011-2479\", \"CVE-2011-2496\", \"CVE-2011-2498\", \"CVE-2011-2534\", \"CVE-2011-3359\", \"CVE-2011-3363\", \"CVE-2011-4913\");\n script_bugtraq_id(44354, 44630, 44661, 44665, 44758, 44793, 44830, 44861, 44921, 45004, 45028, 45037, 45055, 45125, 45159, 45321, 45323, 45556, 45629, 45660, 45986, 46073, 46417, 46419, 46442, 46488, 46492, 46557, 46732, 46839, 47116, 47639, 47791, 47792);\n script_xref(name:\"USN\", value:\"1167-1\");\n\n script_name(english:\"Ubuntu 11.04 : linux vulnerabilities (USN-1167-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Aristide Fattori and Roberto Paleari reported a flaw in the Linux\nkernel's handling of IPv4 icmp packets. A remote user could exploit\nthis to cause a denial of service. (CVE-2011-1927)\n\nGoldwyn Rodrigues discovered that the OCFS2 filesystem did not\ncorrectly clear memory when writing certain file holes. A local\nattacker could exploit this to read uninitialized data from the disk,\nleading to a loss of privacy. (CVE-2011-0463)\n\nTimo Warns discovered that the LDM disk partition handling code did\nnot correctly handle certain values. By inserting a specially crafted\ndisk device, a local attacker could exploit this to gain root\nprivileges. (CVE-2011-1017)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly\nclear memory. A local attacker could exploit this to read kernel stack\nmemory, leading to a loss of privacy. (CVE-2011-1078)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly\ncheck that device name strings were NULL terminated. A local attacker\ncould exploit this to crash the system, leading to a denial of\nservice, or leak contents of kernel stack memory, leading to a loss of\nprivacy. (CVE-2011-1079)\n\nVasiliy Kulikov discovered that bridge network filtering did not check\nthat name fields were NULL terminated. A local attacker could exploit\nthis to leak contents of kernel stack memory, leading to a loss of\nprivacy. (CVE-2011-1080)\n\nJohan Hovold discovered that the DCCP network stack did not correctly\nhandle certain packet combinations. A remote attacker could send\nspecially crafted network traffic that would crash the system, leading\nto a denial of service. (CVE-2011-1093)\n\nPeter Huewe discovered that the TPM device did not correctly\ninitialize memory. A local attacker could exploit this to read kernel\nheap memory contents, leading to a loss of privacy. (CVE-2011-1160)\n\nVasiliy Kulikov discovered that the netfilter code did not check\ncertain strings copied from userspace. A local attacker with netfilter\naccess could exploit this to read kernel memory or crash the system,\nleading to a denial of service. (CVE-2011-1170, CVE-2011-1171,\nCVE-2011-1172, CVE-2011-2534)\n\nVasiliy Kulikov discovered that the Acorn Universal Networking driver\ndid not correctly initialize memory. A remote attacker could send\nspecially crafted traffic to read kernel stack memory, leading to a\nloss of privacy. (CVE-2011-1173)\n\nDan Rosenberg discovered that the IRDA subsystem did not correctly\ncheck certain field sizes. If a system was using IRDA, a remote\nattacker could send specially crafted traffic to crash the system or\ngain root privileges. (CVE-2011-1180)\n\nDan Rosenberg reported errors in the OSS (Open Sound System) MIDI\ninterface. A local attacker on non-x86 systems might be able to cause\na denial of service. (CVE-2011-1476)\n\nDan Rosenberg reported errors in the kernel's OSS (Open Sound System)\ndriver for Yamaha FM synthesizer chips. A local user can exploit this\nto cause memory corruption, causing a denial of service or privilege\nescalation. (CVE-2011-1477)\n\nIt was discovered that the security fix for CVE-2010-4250 introduced a\nregression. A remote attacker could exploit this to crash the system,\nleading to a denial of service. (CVE-2011-1479)\n\nDan Rosenberg discovered that MPT devices did not correctly validate\ncertain values in ioctl calls. If these drivers were loaded, a local\nattacker could exploit this to read arbitrary kernel memory, leading\nto a loss of privacy. (CVE-2011-1494, CVE-2011-1495)\n\nTavis Ormandy discovered that the pidmap function did not correctly\nhandle large requests. A local attacker could exploit this to crash\nthe system, leading to a denial of service. (CVE-2011-1593)\n\nOliver Hartkopp and Dave Jones discovered that the CAN network driver\ndid not correctly validate certain socket structures. If this driver\nwas loaded, a local attacker could crash the system, leading to a\ndenial of service. (CVE-2011-1598, CVE-2011-1748)\n\nVasiliy Kulikov discovered that the AGP driver did not check certain\nioctl values. A local attacker with access to the video subsystem\ncould exploit this to crash the system, leading to a denial of\nservice, or possibly gain root privileges. (CVE-2011-1745,\nCVE-2011-2022)\n\nVasiliy Kulikov discovered that the AGP driver did not check the size\nof certain memory allocations. A local attacker with access to the\nvideo subsystem could exploit this to run the system out of memory,\nleading to a denial of service. (CVE-2011-1746)\n\nDan Rosenberg reported an error in the old ABI compatibility layer of\nARM kernels. A local attacker could exploit this flaw to cause a\ndenial of service or gain root privileges. (CVE-2011-1759)\n\nDan Rosenberg discovered that the DCCP stack did not correctly handle\ncertain packet structures. A remote attacker could exploit this to\ncrash the system, leading to a denial of service. (CVE-2011-1770)\n\nBen Greear discovered that CIFS did not correctly handle direct I/O. A\nlocal attacker with access to a CIFS partition could exploit this to\ncrash the system, leading to a denial of service. (CVE-2011-1771)\n\nTimo Warns discovered that the EFI GUID partition table was not\ncorrectly parsed. A physically local attacker that could insert\nmountable devices could exploit this to crash the system or possibly\ngain root privileges. (CVE-2011-1776)\n\nIt was discovered that an mmap() call with the MAP_PRIVATE flag on\n'/dev/zero' was incorrectly handled. A local attacker could exploit\nthis to crash the system, leading to a denial of service.\n(CVE-2011-2479)\n\nRobert Swiecki discovered that mapping extensions were incorrectly\nhandled. A local attacker could exploit this to crash the system,\nleading to a denial of service. (CVE-2011-2496)\n\nThe linux kernel did not properly account for PTE pages when deciding\nwhich task to kill in out of memory conditions. A local, unprivileged\ncould exploit this flaw to cause a denial of service. (CVE-2011-2498)\n\nA flaw was found in the b43 driver in the Linux kernel. An attacker\ncould use this flaw to cause a denial of service if the system has an\nactive wireless interface using the b43 driver. (CVE-2011-3359)\n\nYogesh Sharma discovered that CIFS did not correctly handle UNCs that\nhad no prefixpaths. A local attacker with access to a CIFS partition\ncould exploit this to crash the system, leading to a denial of\nservice. (CVE-2011-3363)\n\nDan Rosenberg discovered flaws in the linux Rose (X.25 PLP) layer used\nby amateur radio. A local user or a remote user on an X.25 network\ncould exploit these flaws to execute arbitrary code as root.\n(CVE-2011-4913).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/1167-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-versatile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:11.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/11/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/07/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/07/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2011-2020 Canonical, Inc. / NASL script (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(11\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 11.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2010-3859\", \"CVE-2010-3874\", \"CVE-2010-3875\", \"CVE-2010-3876\", \"CVE-2010-3877\", \"CVE-2010-3880\", \"CVE-2010-4158\", \"CVE-2010-4162\", \"CVE-2010-4163\", \"CVE-2010-4164\", \"CVE-2010-4165\", \"CVE-2010-4169\", \"CVE-2010-4175\", \"CVE-2010-4243\", \"CVE-2010-4248\", \"CVE-2010-4249\", \"CVE-2010-4250\", \"CVE-2010-4256\", \"CVE-2010-4258\", \"CVE-2010-4342\", \"CVE-2010-4346\", \"CVE-2010-4527\", \"CVE-2010-4529\", \"CVE-2010-4565\", \"CVE-2010-4649\", \"CVE-2010-4668\", \"CVE-2011-0463\", \"CVE-2011-0521\", \"CVE-2011-0695\", \"CVE-2011-0711\", \"CVE-2011-0712\", \"CVE-2011-0726\", \"CVE-2011-0999\", \"CVE-2011-1010\", \"CVE-2011-1012\", \"CVE-2011-1013\", \"CVE-2011-1016\", \"CVE-2011-1017\", \"CVE-2011-1019\", \"CVE-2011-1044\", \"CVE-2011-1076\", \"CVE-2011-1078\", \"CVE-2011-1079\", \"CVE-2011-1080\", \"CVE-2011-1082\", \"CVE-2011-1083\", \"CVE-2011-1090\", \"CVE-2011-1093\", \"CVE-2011-1160\", \"CVE-2011-1163\", \"CVE-2011-1169\", \"CVE-2011-1170\", \"CVE-2011-1171\", \"CVE-2011-1172\", \"CVE-2011-1173\", \"CVE-2011-1180\", \"CVE-2011-1182\", \"CVE-2011-1476\", \"CVE-2011-1477\", \"CVE-2011-1479\", \"CVE-2011-1494\", \"CVE-2011-1495\", \"CVE-2011-1593\", \"CVE-2011-1598\", \"CVE-2011-1745\", \"CVE-2011-1746\", \"CVE-2011-1747\", \"CVE-2011-1748\", \"CVE-2011-1759\", \"CVE-2011-1770\", \"CVE-2011-1771\", \"CVE-2011-1776\", \"CVE-2011-1927\", \"CVE-2011-2022\", \"CVE-2011-2479\", \"CVE-2011-2496\", \"CVE-2011-2498\", \"CVE-2011-2534\", \"CVE-2011-3359\", \"CVE-2011-3363\", \"CVE-2011-4913\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-1167-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"11.04\", pkgname:\"linux-image-2.6.38-10-generic\", pkgver:\"2.6.38-10.46\")) flag++;\nif (ubuntu_check(osver:\"11.04\", pkgname:\"linux-image-2.6.38-10-generic-pae\", pkgver:\"2.6.38-10.46\")) flag++;\nif (ubuntu_check(osver:\"11.04\", pkgname:\"linux-image-2.6.38-10-server\", pkgver:\"2.6.38-10.46\")) flag++;\nif (ubuntu_check(osver:\"11.04\", pkgname:\"linux-image-2.6.38-10-versatile\", pkgver:\"2.6.38-10.46\")) flag++;\nif (ubuntu_check(osver:\"11.04\", pkgname:\"linux-image-2.6.38-10-virtual\", pkgver:\"2.6.38-10.46\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-2.6-generic / linux-image-2.6-generic-pae / etc\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-01-11T14:36:08", "description": "Dan Rosenberg discovered that several network ioctls did not clear kernel memory correctly. A local user could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3296, CVE-2010-3297)\n\nBrad Spengler discovered that stack memory for new a process was not correctly calculated. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-3858)\n\nDan Rosenberg discovered that the Linux kernel TIPC implementation contained multiple integer signedness errors. A local attacker could exploit this to gain root privileges. (CVE-2010-3859)\n\nDan Rosenberg discovered that the CAN protocol on 64bit systems did not correctly calculate the size of certain buffers. A local attacker could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2010-3874)\n\nNelson Elhage discovered that the Linux kernel IPv4 implementation did not properly audit certain bytecodes in netlink messages. A local attacker could exploit this to cause the kernel to hang, leading to a denial of service. (CVE-2010-3880)\n\nDan Rosenberg discovered that IPC structures were not correctly initialized on 64bit systems. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy.\n(CVE-2010-4073)\n\nDan Rosenberg discovered that multiple terminal ioctls did not correctly initialize structure memory. A local attacker could exploit this to read portions of kernel stack memory, leading to a loss of privacy. (CVE-2010-4075, CVE-2010-4076, CVE-2010-4077)\n\nDan Rosenberg discovered that the RME Hammerfall DSP audio interface driver did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4080, CVE-2010-4081)\n\nDan Rosenberg discovered that the VIA video driver did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4082)\n\nDan Rosenberg discovered that the semctl syscall did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4083)\n\nJames Bottomley discovered that the ICP vortex storage array controller driver did not validate certain sizes. A local attacker on a 64bit system could exploit this to crash the kernel, leading to a denial of service. (CVE-2010-4157)\n\nDan Rosenberg discovered that the Linux kernel L2TP implementation contained multiple integer signedness errors. A local attacker could exploit this to to crash the kernel, or possibly gain root privileges. (CVE-2010-4160)\n\nDan Rosenberg discovered that certain iovec operations did not calculate page counts correctly. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4162)\n\nDan Rosenberg discovered that the SCSI subsystem did not correctly validate iov segments. A local attacker with access to a SCSI device could send specially crafted requests to crash the system, leading to a denial of service. (CVE-2010-4163, CVE-2010-4668)\n\nDave Jones discovered that the mprotect system call did not correctly handle merged VMAs. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4169)\n\nDan Rosenberg discovered that the RDS protocol did not correctly check ioctl arguments. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4175)\n\nAlan Cox discovered that the HCI UART driver did not correctly check if a write operation was available. If the mmap_min-addr sysctl was changed from the Ubuntu default to a value of 0, a local attacker could exploit this flaw to gain root privileges. (CVE-2010-4242)\n\nBrad Spengler discovered that the kernel did not correctly account for userspace memory allocations during exec() calls. A local attacker could exploit this to consume all system memory, leading to a denial of service. (CVE-2010-4243)\n\nIt was discovered that multithreaded exec did not handle CPU timers correctly. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4248)\n\nIt was discovered that named pipes did not correctly handle certain fcntl calls. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4256)\n\nDan Rosenburg discovered that the CAN subsystem leaked kernel addresses into the /proc filesystem. A local attacker could use this to increase the chances of a successful memory corruption exploit.\n(CVE-2010-4565)\n\nDan Carpenter discovered that the Infiniband driver did not correctly handle certain requests. A local user could exploit this to crash the system or potentially gain root privileges. (CVE-2010-4649, CVE-2011-1044)\n\nKees Cook discovered that some ethtool functions did not correctly clear heap memory. A local attacker with CAP_NET_ADMIN privileges could exploit this to read portions of kernel heap memory, leading to a loss of privacy. (CVE-2010-4655)\n\nKees Cook discovered that the IOWarrior USB device driver did not correctly check certain size fields. A local attacker with physical access could plug in a specially crafted USB device to crash the system or potentially gain root privileges. (CVE-2010-4656)\n\nGoldwyn Rodrigues discovered that the OCFS2 filesystem did not correctly clear memory when writing certain file holes. A local attacker could exploit this to read uninitialized data from the disk, leading to a loss of privacy. (CVE-2011-0463)\n\nDan Carpenter discovered that the TTPCI DVB driver did not check certain values during an ioctl. If the dvb-ttpci module was loaded, a local attacker could exploit this to crash the system, leading to a denial of service, or possibly gain root privileges. (CVE-2011-0521)\n\nJens Kuehnel discovered that the InfiniBand driver contained a race condition. On systems using InfiniBand, a local attacker could send specially crafted requests to crash the system, leading to a denial of service. (CVE-2011-0695)\n\nDan Rosenberg discovered that XFS did not correctly initialize memory. A local attacker could make crafted ioctl calls to leak portions of kernel stack memory, leading to a loss of privacy.\n(CVE-2011-0711)\n\nRafael Dominguez Vega discovered that the caiaq Native Instruments USB driver did not correctly validate string lengths. A local attacker with physical access could plug in a specially crafted USB device to crash the system or potentially gain root privileges.\n(CVE-2011-0712)\n\nKees Cook reported that /proc/pid/stat did not correctly filter certain memory locations. A local attacker could determine the memory layout of processes in an attempt to increase the chances of a successful memory corruption exploit. (CVE-2011-0726)\n\nTimo Warns discovered that MAC partition parsing routines did not correctly calculate block counts. A local attacker with physical access could plug in a specially crafted block device to crash the system or potentially gain root privileges. (CVE-2011-1010)\n\nTimo Warns discovered that LDM partition parsing routines did not correctly calculate block counts. A local attacker with physical access could plug in a specially crafted block device to crash the system, leading to a denial of service. (CVE-2011-1012)\n\nMatthiew Herrb discovered that the drm modeset interface did not correctly handle a signed comparison. A local attacker could exploit this to crash the system or possibly gain root privileges.\n(CVE-2011-1013)\n\nMarek Olsak discovered that the Radeon GPU drivers did not correctly validate certain registers. On systems with specific hardware, a local attacker could exploit this to write to arbitrary video memory. (CVE-2011-1016)\n\nTimo Warns discovered that the LDM disk partition handling code did not correctly handle certain values. By inserting a specially crafted disk device, a local attacker could exploit this to gain root privileges. (CVE-2011-1017)\n\nVasiliy Kulikov discovered that the CAP_SYS_MODULE capability was not needed to load kernel modules. A local attacker with the CAP_NET_ADMIN capability could load existing kernel modules, possibly increasing the attack surface available on the system.\n(CVE-2011-1019)\n\nIt was discovered that the /proc filesystem did not correctly handle permission changes when programs executed. A local attacker could hold open files to examine details about programs running with higher privileges, potentially increasing the chances of exploiting additional vulnerabilities. (CVE-2011-1020)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly clear memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1078)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly check that device name strings were NULL terminated. A local attacker could exploit this to crash the system, leading to a denial of service, or leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1079)\n\nVasiliy Kulikov discovered that bridge network filtering did not check that name fields were NULL terminated. A local attacker could exploit this to leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1080)\n\nNelson Elhage discovered that the epoll subsystem did not correctly handle certain structures. A local attacker could create malicious requests that would hang the system, leading to a denial of service.\n(CVE-2011-1082)\n\nNeil Horman discovered that NFSv4 did not correctly handle certain orders of operation with ACL data. A remote attacker with access to an NFSv4 mount could exploit this to crash the system, leading to a denial of service. (CVE-2011-1090)\n\nJohan Hovold discovered that the DCCP network stack did not correctly handle certain packet combinations. A remote attacker could send specially crafted network traffic that would crash the system, leading to a denial of service. (CVE-2011-1093)\n\nPeter Huewe discovered that the TPM device did not correctly initialize memory. A local attacker could exploit this to read kernel heap memory contents, leading to a loss of privacy. (CVE-2011-1160)\n\nTimo Warns discovered that OSF partition parsing routines did not correctly clear memory. A local attacker with physical access could plug in a specially crafted block device to read kernel memory, leading to a loss of privacy. (CVE-2011-1163)\n\nDan Rosenberg discovered that some ALSA drivers did not correctly check the adapter index during ioctl calls. If this driver was loaded, a local attacker could make a specially crafted ioctl call to gain root privileges. (CVE-2011-1169)\n\nVasiliy Kulikov discovered that the netfilter code did not check certain strings copied from userspace. A local attacker with netfilter access could exploit this to read kernel memory or crash the system, leading to a denial of service. (CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-2534)\n\nVasiliy Kulikov discovered that the Acorn Universal Networking driver did not correctly initialize memory. A remote attacker could send specially crafted traffic to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1173)\n\nDan Rosenberg discovered that the IRDA subsystem did not correctly check certain field sizes. If a system was using IRDA, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-1180)\n\nJulien Tinnes discovered that the kernel did not correctly validate the signal structure from tkill(). A local attacker could exploit this to send signals to arbitrary threads, possibly bypassing expected restrictions. (CVE-2011-1182)\n\nRyan Sweat discovered that the GRO code did not correctly validate memory. In some configurations on systems using VLANs, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1478)\n\nDan Rosenberg discovered that the X.25 Rose network stack did not correctly handle certain fields. If a system was running with Rose enabled, a remote attacker could send specially crafted traffic to gain root privileges. (CVE-2011-1493)\n\nDan Rosenberg discovered that MPT devices did not correctly validate certain values in ioctl calls. If these drivers were loaded, a local attacker could exploit this to read arbitrary kernel memory, leading to a loss of privacy. (CVE-2011-1494, CVE-2011-1495)\n\nTimo Warns discovered that the GUID partition parsing routines did not correctly validate certain structures. A local attacker with physical access could plug in a specially crafted block device to crash the system, leading to a denial of service. (CVE-2011-1577)\n\nTavis Ormandy discovered that the pidmap function did not correctly handle large requests. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-1593)\n\nOliver Hartkopp and Dave Jones discovered that the CAN network driver did not correctly validate certain socket structures. If this driver was loaded, a local attacker could crash the system, leading to a denial of service. (CVE-2011-1598, CVE-2011-1748)\n\nVasiliy Kulikov discovered that the AGP driver did not check certain ioctl values. A local attacker with access to the video subsystem could exploit this to crash the system, leading to a denial of service, or possibly gain root privileges. (CVE-2011-1745, CVE-2011-2022)\n\nVasiliy Kulikov discovered that the AGP driver did not check the size of certain memory allocations. A local attacker with access to the video subsystem could exploit this to run the system out of memory, leading to a denial of service. (CVE-2011-1746)\n\nDan Rosenberg discovered that the DCCP stack did not correctly handle certain packet structures. A remote attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-1770)\n\nVasiliy Kulikov and Dan Rosenberg discovered that ecryptfs did not correctly check the origin of mount points. A local attacker could exploit this to trick the system into unmounting arbitrary mount points, leading to a denial of service. (CVE-2011-1833)\n\nVasiliy Kulikov discovered that taskstats listeners were not correctly handled. A local attacker could expoit this to exhaust memory and CPU resources, leading to a denial of service.\n(CVE-2011-2484)\n\nIt was discovered that Bluetooth l2cap and rfcomm did not correctly initialize structures. A local attacker could exploit this to read portions of the kernel stack, leading to a loss of privacy.\n(CVE-2011-2492)\n\nFernando Gont discovered that the IPv6 stack used predictable fragment identification numbers. A remote attacker could exploit this to exhaust network resources, leading to a denial of service.\n(CVE-2011-2699)\n\nThe performance counter subsystem did not correctly handle certain counters. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2918)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2011-09-14T00:00:00", "type": "nessus", "title": "USN-1202-1 : linux-ti-omap4 vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3296", "CVE-2010-3297", "CVE-2010-3858", "CVE-2010-3859", "CVE-2010-3874", "CVE-2010-3880", "CVE-2010-4073", "CVE-2010-4075", "CVE-2010-4076", "CVE-2010-4077", "CVE-2010-4080", "CVE-2010-4081", "CVE-2010-4082", "CVE-2010-4083", "CVE-2010-4157", "CVE-2010-4160", "CVE-2010-4162", "CVE-2010-4163", "CVE-2010-4169", "CVE-2010-4175", "CVE-2010-4242", "CVE-2010-4243", "CVE-2010-4248", "CVE-2010-4256", "CVE-2010-4565", "CVE-2010-4649", "CVE-2010-4655", "CVE-2010-4656", "CVE-2010-4668", "CVE-2011-0463", "CVE-2011-0521", "CVE-2011-0695", "CVE-2011-0711", "CVE-2011-0712", "CVE-2011-0726", "CVE-2011-1010", "CVE-2011-1012", "CVE-2011-1013", "CVE-2011-1016", "CVE-2011-1017", "CVE-2011-1019", "CVE-2011-1020", "CVE-2011-1044", "CVE-2011-1078", "CVE-2011-1079", "CVE-2011-1080", "CVE-2011-1082", "CVE-2011-1090", "CVE-2011-1093", "CVE-2011-1160", "CVE-2011-1163", "CVE-2011-1169", "CVE-2011-1170", "CVE-2011-1171", "CVE-2011-1172", "CVE-2011-1173", "CVE-2011-1180", "CVE-2011-1182", "CVE-2011-1478", "CVE-2011-1493", "CVE-2011-1494", "CVE-2011-1495", "CVE-2011-1577", "CVE-2011-1593", "CVE-2011-1598", "CVE-2011-1745", "CVE-2011-1746", "CVE-2011-1748", "CVE-2011-1770", "CVE-2011-1833", "CVE-2011-2022", "CVE-2011-2484", "CVE-2011-2492", "CVE-2011-2534", "CVE-2011-2699", "CVE-2011-2918"], "modified": "2016-05-26T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux"], "id": "UBUNTU_USN-1202-1.NASL", "href": "https://www.tenable.com/plugins/nessus/56190", "sourceData": "# This script was automatically generated from Ubuntu Security\n# Notice USN-1202-1. It is released under the Nessus Script \n# Licence.\n#\n# Ubuntu Security Notices are (C) Canonical, Inc.\n# See http://www.ubuntu.com/usn/\n# Ubuntu(R) is a registered trademark of Canonical, Inc.\n\nif (!defined_func(\"bn_random\")) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(56190);\n script_version(\"$Revision: 1.6 $\");\n script_cvs_date(\"$Date: 2016/05/26 16:14:09 $\");\n\n script_cve_id(\"CVE-2010-3296\", \"CVE-2010-3297\", \"CVE-2010-3858\", \"CVE-2010-3859\", \"CVE-2010-3874\", \"CVE-2010-3880\", \"CVE-2010-4073\", \"CVE-2010-4075\", \"CVE-2010-4076\", \"CVE-2010-4077\", \"CVE-2010-4080\", \"CVE-2010-4081\", \"CVE-2010-4082\", \"CVE-2010-4083\", \"CVE-2010-4157\", \"CVE-2010-4160\", \"CVE-2010-4162\", \"CVE-2010-4163\", \"CVE-2010-4169\", \"CVE-2010-4175\", \"CVE-2010-4242\", \"CVE-2010-4243\", \"CVE-2010-4248\", \"CVE-2010-4256\", \"CVE-2010-4565\", \"CVE-2010-4649\", \"CVE-2010-4655\", \"CVE-2010-4656\", \"CVE-2010-4668\", \"CVE-2011-0463\", \"CVE-2011-0521\", \"CVE-2011-0695\", \"CVE-2011-0711\", \"CVE-2011-0712\", \"CVE-2011-0726\", \"CVE-2011-1010\", \"CVE-2011-1012\", \"CVE-2011-1013\", \"CVE-2011-1016\", \"CVE-2011-1017\", \"CVE-2011-1019\", \"CVE-2011-1020\", \"CVE-2011-1044\", \"CVE-2011-1078\", \"CVE-2011-1079\", \"CVE-2011-1080\", \"CVE-2011-1082\", \"CVE-2011-1090\", \"CVE-2011-1093\", \"CVE-2011-1160\", \"CVE-2011-1163\", \"CVE-2011-1169\", \"CVE-2011-1170\", \"CVE-2011-1171\", \"CVE-2011-1172\", \"CVE-2011-1173\", \"CVE-2011-1180\", \"CVE-2011-1182\", \"CVE-2011-1478\", \"CVE-2011-1493\", \"CVE-2011-1494\", \"CVE-2011-1495\", \"CVE-2011-1577\", \"CVE-2011-1593\", \"CVE-2011-1598\", \"CVE-2011-1745\", \"CVE-2011-1746\", \"CVE-2011-1748\", \"CVE-2011-1770\", \"CVE-2011-1833\", \"CVE-2011-2022\", \"CVE-2011-2484\", \"CVE-2011-2492\", \"CVE-2011-2534\", \"CVE-2011-2699\", \"CVE-2011-2918\");\n script_xref(name:\"USN\", value:\"1202-1\");\n\n script_name(english:\"USN-1202-1 : linux-ti-omap4 vulnerabilities\");\n script_summary(english:\"Checks dpkg output for updated package(s)\");\n\n script_set_attribute(attribute:\"synopsis\", value: \n\"The remote Ubuntu host is missing one or more security-related\npatches.\");\n script_set_attribute(attribute:\"description\", value:\n\"Dan Rosenberg discovered that several network ioctls did not clear\nkernel memory correctly. A local user could exploit this to read\nkernel stack memory, leading to a loss of privacy. (CVE-2010-3296,\nCVE-2010-3297)\n\nBrad Spengler discovered that stack memory for new a process was not\ncorrectly calculated. A local attacker could exploit this to crash\nthe system, leading to a denial of service. (CVE-2010-3858)\n\nDan Rosenberg discovered that the Linux kernel TIPC implementation\ncontained multiple integer signedness errors. A local attacker could\nexploit this to gain root privileges. (CVE-2010-3859)\n\nDan Rosenberg discovered that the CAN protocol on 64bit systems did\nnot correctly calculate the size of certain buffers. A local attacker\ncould exploit this to crash the system or possibly execute arbitrary\ncode as the root user. (CVE-2010-3874)\n\nNelson Elhage discovered that the Linux kernel IPv4 implementation\ndid not properly audit certain bytecodes in netlink messages. A local\nattacker could exploit this to cause the kernel to hang, leading to a\ndenial of service. (CVE-2010-3880)\n\nDan Rosenberg discovered that IPC structures were not correctly\ninitialized on 64bit systems. A local attacker could exploit this to\nread kernel stack memory, leading to a loss of privacy.\n(CVE-2010-4073)\n\nDan Rosenberg discovered that multiple terminal ioctls did not\ncorrectly initialize structure memory. A local attacker could exploit\nthis to read portions of kernel stack memory, leading to a loss of\nprivacy. (CVE-2010-4075, CVE-2010-4076, CVE-2010-4077)\n\nDan Rosenberg discovered that the RME Hammerfall DSP audio interface\ndriver did not correctly clear kernel memory. A local attacker could\nexploit this to read kernel stack memory, leading to a loss of\nprivacy. (CVE-2010-4080, CVE-2010-4081)\n\nDan Rosenberg discovered that the VIA video driver did not correctly\nclear kernel memory. A local attacker could exploit this to read\nkernel stack memory, leading to a loss of privacy. (CVE-2010-4082)\n\nDan Rosenberg discovered that the semctl syscall did not correctly\nclear kernel memory. A local attacker could exploit this to read\nkernel stack memory, leading to a loss of privacy. (CVE-2010-4083)\n\nJames Bottomley discovered that the ICP vortex storage array\ncontroller driver did not validate certain sizes. A local attacker on\na 64bit system could exploit this to crash the kernel, leading to a\ndenial of service. (CVE-2010-4157)\n\nDan Rosenberg discovered that the Linux kernel L2TP implementation\ncontained multiple integer signedness errors. A local attacker could\nexploit this to to crash the kernel, or possibly gain root\nprivileges. (CVE-2010-4160)\n\nDan Rosenberg discovered that certain iovec operations did not\ncalculate page counts correctly. A local attacker could exploit this\nto crash the system, leading to a denial of service. (CVE-2010-4162)\n\nDan Rosenberg discovered that the SCSI subsystem did not correctly\nvalidate iov segments. A local attacker with access to a SCSI device\ncould send specially crafted requests to crash the system, leading to\na denial of service. (CVE-2010-4163, CVE-2010-4668)\n\nDave Jones discovered that the mprotect system call did not correctly\nhandle merged VMAs. A local attacker could exploit this to crash the\nsystem, leading to a denial of service. (CVE-2010-4169)\n\nDan Rosenberg discovered that the RDS protocol did not correctly\ncheck ioctl arguments. A local attacker could exploit this to crash\nthe system, leading to a denial of service. (CVE-2010-4175)\n\nAlan Cox discovered that the HCI UART driver did not correctly check\nif a write operation was available. If the mmap_min-addr sysctl was\nchanged from the Ubuntu default to a value of 0, a local attacker\ncould exploit this flaw to gain root privileges. (CVE-2010-4242)\n\nBrad Spengler discovered that the kernel did not correctly account\nfor userspace memory allocations during exec() calls. A local\nattacker could exploit this to consume all system memory, leading to\na denial of service. (CVE-2010-4243)\n\nIt was discovered that multithreaded exec did not handle CPU timers\ncorrectly. A local attacker could exploit this to crash the system,\nleading to a denial of service. (CVE-2010-4248)\n\nIt was discovered that named pipes did not correctly handle certain\nfcntl calls. A local attacker could exploit this to crash the system,\nleading to a denial of service. (CVE-2010-4256)\n\nDan Rosenburg discovered that the CAN subsystem leaked kernel\naddresses into the /proc filesystem. A local attacker could use this\nto increase the chances of a successful memory corruption exploit.\n(CVE-2010-4565)\n\nDan Carpenter discovered that the Infiniband driver did not correctly\nhandle certain requests. A local user could exploit this to crash the\nsystem or potentially gain root privileges. (CVE-2010-4649,\nCVE-2011-1044)\n\nKees Cook discovered that some ethtool functions did not correctly\nclear heap memory. A local attacker with CAP_NET_ADMIN privileges\ncould exploit this to read portions of kernel heap memory, leading to\na loss of privacy. (CVE-2010-4655)\n\nKees Cook discovered that the IOWarrior USB device driver did not\ncorrectly check certain size fields. A local attacker with physical\naccess could plug in a specially crafted USB device to crash the\nsystem or potentially gain root privileges. (CVE-2010-4656)\n\nGoldwyn Rodrigues discovered that the OCFS2 filesystem did not\ncorrectly clear memory when writing certain file holes. A local\nattacker could exploit this to read uninitialized data from the disk,\nleading to a loss of privacy. (CVE-2011-0463)\n\nDan Carpenter discovered that the TTPCI DVB driver did not check\ncertain values during an ioctl. If the dvb-ttpci module was loaded, a\nlocal attacker could exploit this to crash the system, leading to a\ndenial of service, or possibly gain root privileges. (CVE-2011-0521)\n\nJens Kuehnel discovered that the InfiniBand driver contained a race\ncondition. On systems using InfiniBand, a local attacker could send\nspecially crafted requests to crash the system, leading to a denial\nof service. (CVE-2011-0695)\n\nDan Rosenberg discovered that XFS did not correctly initialize\nmemory. A local attacker could make crafted ioctl calls to leak\nportions of kernel stack memory, leading to a loss of privacy.\n(CVE-2011-0711)\n\nRafael Dominguez Vega discovered that the caiaq Native Instruments\nUSB driver did not correctly validate string lengths. A local\nattacker with physical access could plug in a specially crafted USB\ndevice to crash the system or potentially gain root privileges.\n(CVE-2011-0712)\n\nKees Cook reported that /proc/pid/stat did not correctly filter\ncertain memory locations. A local attacker could determine the memory\nlayout of processes in an attempt to increase the chances of a\nsuccessful memory corruption exploit. (CVE-2011-0726)\n\nTimo Warns discovered that MAC partition parsing routines did not\ncorrectly calculate block counts. A local attacker with physical\naccess could plug in a specially crafted block device to crash the\nsystem or potentially gain root privileges. (CVE-2011-1010)\n\nTimo Warns discovered that LDM partition parsing routines did not\ncorrectly calculate block counts. A local attacker with physical\naccess could plug in a specially crafted block device to crash the\nsystem, leading to a denial of service. (CVE-2011-1012)\n\nMatthiew Herrb discovered that the drm modeset interface did not\ncorrectly handle a signed comparison. A local attacker could exploit\nthis to crash the system or possibly gain root privileges.\n(CVE-2011-1013)\n\nMarek Olsak discovered that the Radeon GPU drivers did not\ncorrectly validate certain registers. On systems with specific\nhardware, a local attacker could exploit this to write to arbitrary\nvideo memory. (CVE-2011-1016)\n\nTimo Warns discovered that the LDM disk partition handling code did\nnot correctly handle certain values. By inserting a specially crafted\ndisk device, a local attacker could exploit this to gain root\nprivileges. (CVE-2011-1017)\n\nVasiliy Kulikov discovered that the CAP_SYS_MODULE capability was not\nneeded to load kernel modules. A local attacker with the\nCAP_NET_ADMIN capability could load existing kernel modules, possibly\nincreasing the attack surface available on the system.\n(CVE-2011-1019)\n\nIt was discovered that the /proc filesystem did not correctly handle\npermission changes when programs executed. A local attacker could\nhold open files to examine details about programs running with higher\nprivileges, potentially increasing the chances of exploiting\nadditional vulnerabilities. (CVE-2011-1020)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly\nclear memory. A local attacker could exploit this to read kernel\nstack memory, leading to a loss of privacy. (CVE-2011-1078)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly\ncheck that device name strings were NULL terminated. A local attacker\ncould exploit this to crash the system, leading to a denial of\nservice, or leak contents of kernel stack memory, leading to a loss\nof privacy. (CVE-2011-1079)\n\nVasiliy Kulikov discovered that bridge network filtering did not\ncheck that name fields were NULL terminated. A local attacker could\nexploit this to leak contents of kernel stack memory, leading to a\nloss of privacy. (CVE-2011-1080)\n\nNelson Elhage discovered that the epoll subsystem did not correctly\nhandle certain structures. A local attacker could create malicious\nrequests that would hang the system, leading to a denial of service.\n(CVE-2011-1082)\n\nNeil Horman discovered that NFSv4 did not correctly handle certain\norders of operation with ACL data. A remote attacker with access to\nan NFSv4 mount could exploit this to crash the system, leading to a\ndenial of service. (CVE-2011-1090)\n\nJohan Hovold discovered that the DCCP network stack did not correctly\nhandle certain packet combinations. A remote attacker could send\nspecially crafted network traffic that would crash the system,\nleading to a denial of service. (CVE-2011-1093)\n\nPeter Huewe discovered that the TPM device did not correctly\ninitialize memory. A local attacker could exploit this to read kernel\nheap memory contents, leading to a loss of privacy. (CVE-2011-1160)\n\nTimo Warns discovered that OSF partition parsing routines did not\ncorrectly clear memory. A local attacker with physical access could\nplug in a specially crafted block device to read kernel memory,\nleading to a loss of privacy. (CVE-2011-1163)\n\nDan Rosenberg discovered that some ALSA drivers did not correctly\ncheck the adapter index during ioctl calls. If this driver was\nloaded, a local attacker could make a specially crafted ioctl call to\ngain root privileges. (CVE-2011-1169)\n\nVasiliy Kulikov discovered that the netfilter code did not check\ncertain strings copied from userspace. A local attacker with\nnetfilter access could exploit this to read kernel memory or crash\nthe system, leading to a denial of service. (CVE-2011-1170,\nCVE-2011-1171, CVE-2011-1172, CVE-2011-2534)\n\nVasiliy Kulikov discovered that the Acorn Universal Networking driver\ndid not correctly initialize memory. A remote attacker could send\nspecially crafted traffic to read kernel stack memory, leading to a\nloss of privacy. (CVE-2011-1173)\n\nDan Rosenberg discovered that the IRDA subsystem did not correctly\ncheck certain field sizes. If a system was using IRDA, a remote\nattacker could send specially crafted traffic to crash the system or\ngain root privileges. (CVE-2011-1180)\n\nJulien Tinnes discovered that the kernel did not correctly validate\nthe signal structure from tkill(). A local attacker could exploit\nthis to send signals to arbitrary threads, possibly bypassing\nexpected restrictions. (CVE-2011-1182)\n\nRyan Sweat discovered that the GRO code did not correctly validate\nmemory. In some configurations on systems using VLANs, a remote\nattacker could send specially crafted traffic to crash the system,\nleading to a denial of service. (CVE-2011-1478)\n\nDan Rosenberg discovered that the X.25 Rose network stack did not\ncorrectly handle certain fields. If a system was running with Rose\nenabled, a remote attacker could send specially crafted traffic to\ngain root privileges. (CVE-2011-1493)\n\nDan Rosenberg discovered that MPT devices did not correctly validate\ncertain values in ioctl calls. If these drivers were loaded, a local\nattacker could exploit this to read arbitrary kernel memory, leading\nto a loss of privacy. (CVE-2011-1494, CVE-2011-1495)\n\nTimo Warns discovered that the GUID partition parsing routines did\nnot correctly validate certain structures. A local attacker with\nphysical access could plug in a specially crafted block device to\ncrash the system, leading to a denial of service. (CVE-2011-1577)\n\nTavis Ormandy discovered that the pidmap function did not correctly\nhandle large requests. A local attacker could exploit this to crash\nthe system, leading to a denial of service. (CVE-2011-1593)\n\nOliver Hartkopp and Dave Jones discovered that the CAN network driver\ndid not correctly validate certain socket structures. If this driver\nwas loaded, a local attacker could crash the system, leading to a\ndenial of service. (CVE-2011-1598, CVE-2011-1748)\n\nVasiliy Kulikov discovered that the AGP driver did not check certain\nioctl values. A local attacker with access to the video subsystem\ncould exploit this to crash the system, leading to a denial of\nservice, or possibly gain root privileges. (CVE-2011-1745,\nCVE-2011-2022)\n\nVasiliy Kulikov discovered that the AGP driver did not check the size\nof certain memory allocations. A local attacker with access to the\nvideo subsystem could exploit this to run the system out of memory,\nleading to a denial of service. (CVE-2011-1746)\n\nDan Rosenberg discovered that the DCCP stack did not correctly handle\ncertain packet structures. A remote attacker could exploit this to\ncrash the system, leading to a denial of service. (CVE-2011-1770)\n\nVasiliy Kulikov and Dan Rosenberg discovered that ecryptfs did not\ncorrectly check the origin of mount points. A local attacker could\nexploit this to trick the system into unmounting arbitrary mount\npoints, leading to a denial of service. (CVE-2011-1833)\n\nVasiliy Kulikov discovered that taskstats listeners were not\ncorrectly handled. A local attacker could expoit this to exhaust\nmemory and CPU resources, leading to a denial of service.\n(CVE-2011-2484)\n\nIt was discovered that Bluetooth l2cap and rfcomm did not correctly\ninitialize structures. A local attacker could exploit this to read\nportions of the kernel stack, leading to a loss of privacy.\n(CVE-2011-2492)\n\nFernando Gont discovered that the IPv6 stack used predictable\nfragment identification numbers. A remote attacker could exploit this\nto exhaust network resources, leading to a denial of service.\n(CVE-2011-2699)\n\nThe performance counter subsystem did not correctly handle certain\ncounters. A local attacker could exploit this to crash the system,\nleading to a denial of service. (CVE-2011-2918)\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.ubuntu.com/usn/usn-1202-1/\");\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package(s).\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/09/13\");\n\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2011/09/14\");\n script_end_attributes();\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(\"Ubuntu Security Notice (C) 2011 Canonical, Inc. / NASL script (C) 2011-2016 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude(\"ubuntu.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/Ubuntu/release\")) exit(0, \"The host is not running Ubuntu.\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) exit(1, \"Could not obtain the list of installed packages.\");\n\nflag = 0;\n\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-image-2.6.35-903-omap4\", pkgver:\"2.6.35-903.24\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:ubuntu_report_get());\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-01-11T14:19:39", "description": "a. ESX third-party update for Service Console kernel The ESX Service Console Operating System (COS) kernel is updated to kernel-2.6.18-274.3.1.el5 to fix multiple security issues in the COS kernel.\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2011-0726, CVE-2011-1078, CVE-2011-1079, CVE-2011-1080, CVE-2011-1093, CVE-2011-1163, CVE-2011-1166, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-1494, CVE-2011-1495, CVE-2011-1577, CVE-2011-1763, CVE-2010-4649, CVE-2011-0695, CVE-2011-0711, CVE-2011-1044, CVE-2011-1182, CVE-2011-1573, CVE-2011-1576, CVE-2011-1593, CVE-2011-1745, CVE-2011-1746, CVE-2011-1776, CVE-2011-1936, CVE-2011-2022, CVE-2011-2213, CVE-2011-2492, CVE-2011-1780, CVE-2011-2525, CVE-2011-2689, CVE-2011-2482, CVE-2011-2491, CVE-2011-2495, CVE-2011-2517, CVE-2011-2519, CVE-2011-2901 to these issues.\n b. ESX third-party update for Service Console cURL RPM The ESX Service Console (COS) curl RPM is updated to cURL-7.15.5.9 resolving a security issues.\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-2192 to this issue.\n c. ESX third-party update for Service Console nspr and nss RPMs The ESX Service Console (COS) nspr and nss RPMs are updated to nspr-4.8.8-1.el5_7 and nss-3.12.10-4.el5_7 respectively resolving a security issues.\n A Certificate Authority (CA) issued fraudulent SSL certificates and Netscape Portable Runtime (NSPR) and Network Security Services (NSS) contain the built-in tokens of this fraudulent Certificate Authority. This update renders all SSL certificates signed by the fraudulent CA as untrusted for all uses.\n d. ESX third-party update for Service Console rpm RPMs The ESX Service Console Operating System (COS) rpm packages are updated to popt-1.10.2.3-22.el5_7.2, rpm-4.4.2.3-22.el5_7.2, rpm-libs-4.4.2.3-22.el5_7.2 and rpm-python-4.4.2.3-22.el5_7.2 which fixes multiple security issues.\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-2059 and CVE-2011-3378 to these issues.\n e. ESX third-party update for Service Console samba RPMs The ESX Service Console Operating System (COS) samba packages are updated to samba-client-3.0.33-3.29.el5_7.4, samba-common-3.0.33-3.29.el5_7.4 and libsmbclient-3.0.33-3.29.el5_7.4 which fixes multiple security issues in the Samba client.\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-0547, CVE-2010-0787, CVE-2011-1678, CVE-2011-2522 and CVE-2011-2694 to these issues.\n Note that ESX does not include the Samba Web Administration Tool (SWAT) and therefore ESX COS is not affected by CVE-2011-2522 and CVE-2011-2694.\n f. ESX third-party update for Service Console python package The ESX Service Console (COS) python package is updated to 2.4.3-44 which fixes multiple security issues.\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-3720, CVE-2010-3493, CVE-2011-1015 and CVE-2011-1521 to these issues.\n g. ESXi update to third-party component python The python third-party library is updated to python 2.5.6 which fixes multiple security issues.\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-3560, CVE-2009-3720, CVE-2010-1634, CVE-2010-2089, and CVE-2011-1521 to these issues.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2012-01-31T00:00:00", "type": "nessus", "title": "VMSA-2012-0001 : VMware ESXi and ESX updates to third-party library and ESX Service Console", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3560", "CVE-2009-3720", "CVE-2010-0547", "CVE-2010-0787", "CVE-2010-1634", "CVE-2010-2059", "CVE-2010-2089", "CVE-2010-3493", "CVE-2010-4649", "CVE-2011-0695", "CVE-2011-0711", "CVE-2011-0726", "CVE-2011-1015", "CVE-2011-1044", "CVE-2011-1078", "CVE-2011-1079", "CVE-2011-1080", "CVE-2011-1093", "CVE-2011-1163", "CVE-2011-1166", "CVE-2011-1170", "CVE-2011-1171", "CVE-2011-1172", "CVE-2011-1182", "CVE-2011-1494", "CVE-2011-1495", "CVE-2011-1521", "CVE-2011-1573", "CVE-2011-1576", "CVE-2011-1577", "CVE-2011-1593", "CVE-2011-1678", "CVE-2011-1745", "CVE-2011-1746", "CVE-2011-1763", "CVE-2011-1776", "CVE-2011-1780", "CVE-2011-1936", "CVE-2011-2022", "CVE-2011-2192", "CVE-2011-2213", "CVE-2011-2482", "CVE-2011-2491", "CVE-2011-2492", "CVE-2011-2495", "CVE-2011-2517", "CVE-2011-2519", "CVE-2011-2522", "CVE-2011-2525", "CVE-2011-2689", "CVE-2011-2694", "CVE-2011-2901", "CVE-2011-3378"], "modified": "2021-01-06T00:00:00", "cpe": ["cpe:/o:vmware:esx:4.0", "cpe:/o:vmware:esx:4.1", "cpe:/o:vmware:esxi:4.0", "cpe:/o:vmware:esxi:4.1", "cpe:/o:vmware:esxi:5.0"], "id": "VMWARE_VMSA-2012-0001.NASL", "href": "https://www.tenable.com/plugins/nessus/57749", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from VMware Security Advisory 2012-0001. \n# The text itself is copyright (C) VMware Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(57749);\n script_version(\"1.43\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2009-3560\", \"CVE-2009-3720\", \"CVE-2010-0547\", \"CVE-2010-0787\", \"CVE-2010-1634\", \"CVE-2010-2059\", \"CVE-2010-2089\", \"CVE-2010-3493\", \"CVE-2010-4649\", \"CVE-2011-0695\", \"CVE-2011-0711\", \"CVE-2011-0726\", \"CVE-2011-1015\", \"CVE-2011-1044\", \"CVE-2011-1078\", \"CVE-2011-1079\", \"CVE-2011-1080\", \"CVE-2011-1093\", \"CVE-2011-1163\", \"CVE-2011-1166\", \"CVE-2011-1170\", \"CVE-2011-1171\", \"CVE-2011-1172\", \"CVE-2011-1182\", \"CVE-2011-1494\", \"CVE-2011-1495\", \"CVE-2011-1521\", \"CVE-2011-1573\", \"CVE-2011-1576\", \"CVE-2011-1577\", \"CVE-2011-1593\", \"CVE-2011-1678\", \"CVE-2011-1745\", \"CVE-2011-1746\", \"CVE-2011-1763\", \"CVE-2011-1776\", \"CVE-2011-1780\", \"CVE-2011-1936\", \"CVE-2011-2022\", \"CVE-2011-2192\", \"CVE-2011-2213\", \"CVE-2011-2482\", \"CVE-2011-2491\", \"CVE-2011-2492\", \"CVE-2011-2495\", \"CVE-2011-2517\", \"CVE-2011-2519\", \"CVE-2011-2522\", \"CVE-2011-2525\", \"CVE-2011-2689\", \"CVE-2011-2694\", \"CVE-2011-2901\", \"CVE-2011-3378\");\n script_bugtraq_id(36097, 37203, 37992, 38326, 40370, 40863, 44533, 46073, 46417, 46488, 46541, 46616, 46793, 46839, 46878, 46919, 47003, 47024, 47308, 47343, 47497, 47534, 47535, 47791, 47796, 47843, 48048, 48058, 48333, 48441, 48538, 48641, 48677, 48899, 48901, 49141, 49370, 49373, 49375, 49408, 49939);\n script_xref(name:\"VMSA\", value:\"2012-0001\");\n\n script_name(english:\"VMSA-2012-0001 : VMware ESXi and ESX updates to third-party library and ESX Service Console\");\n script_summary(english:\"Checks esxupdate output for the patches\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote VMware ESXi / ESX host is missing one or more\nsecurity-related patches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"a. ESX third-party update for Service Console kernel\n \n The ESX Service Console Operating System (COS) kernel is updated to\n kernel-2.6.18-274.3.1.el5 to fix multiple security issues in the\n COS kernel.\n \n The Common Vulnerabilities and Exposures project (cve.mitre.org) has\n assigned the names CVE-2011-0726, CVE-2011-1078, CVE-2011-1079,\n CVE-2011-1080, CVE-2011-1093, CVE-2011-1163, CVE-2011-1166,\n CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-1494,\n CVE-2011-1495, CVE-2011-1577, CVE-2011-1763, CVE-2010-4649,\n CVE-2011-0695, CVE-2011-0711, CVE-2011-1044, CVE-2011-1182,\n CVE-2011-1573, CVE-2011-1576, CVE-2011-1593, CVE-2011-1745,\n CVE-2011-1746, CVE-2011-1776, CVE-2011-1936, CVE-2011-2022,\n CVE-2011-2213, CVE-2011-2492, CVE-2011-1780, CVE-2011-2525,\n CVE-2011-2689, CVE-2011-2482, CVE-2011-2491, CVE-2011-2495,\n CVE-2011-2517, CVE-2011-2519, CVE-2011-2901 to these issues.\n \nb. ESX third-party update for Service Console cURL RPM\n \n The ESX Service Console (COS) curl RPM is updated to cURL-7.15.5.9\n resolving a security issues.\n \n The Common Vulnerabilities and Exposures project (cve.mitre.org) has\n assigned the name CVE-2011-2192 to this issue.\n \nc. ESX third-party update for Service Console nspr and nss RPMs\n \n The ESX Service Console (COS) nspr and nss RPMs are updated to\n nspr-4.8.8-1.el5_7 and nss-3.12.10-4.el5_7 respectively resolving\n a security issues.\n \n A Certificate Authority (CA) issued fraudulent SSL certificates and\n Netscape Portable Runtime (NSPR) and Network Security Services (NSS)\n contain the built-in tokens of this fraudulent Certificate\n Authority. This update renders all SSL certificates signed by the\n fraudulent CA as untrusted for all uses.\n \nd. ESX third-party update for Service Console rpm RPMs\n \n The ESX Service Console Operating System (COS) rpm packages are\n updated to popt-1.10.2.3-22.el5_7.2, rpm-4.4.2.3-22.el5_7.2,\n rpm-libs-4.4.2.3-22.el5_7.2 and rpm-python-4.4.2.3-22.el5_7.2\n which fixes multiple security issues.\n \n The Common Vulnerabilities and Exposures project (cve.mitre.org) has\n assigned the names CVE-2010-2059 and CVE-2011-3378 to these\n issues.\n \ne. ESX third-party update for Service Console samba RPMs\n \n The ESX Service Console Operating System (COS) samba packages are\n updated to samba-client-3.0.33-3.29.el5_7.4,\n samba-common-3.0.33-3.29.el5_7.4 and\n libsmbclient-3.0.33-3.29.el5_7.4 which fixes multiple security\n issues in the Samba client.\n \n The Common Vulnerabilities and Exposures project (cve.mitre.org) has\n assigned the names CVE-2010-0547, CVE-2010-0787, CVE-2011-1678,\n CVE-2011-2522 and CVE-2011-2694 to these issues.\n \n Note that ESX does not include the Samba Web Administration Tool\n (SWAT) and therefore ESX COS is not affected by CVE-2011-2522 and\n CVE-2011-2694.\n \nf. ESX third-party update for Service Console python package\n \n The ESX Service Console (COS) python package is updated to\n 2.4.3-44 which fixes multiple security issues.\n \n The Common Vulnerabilities and Exposures project (cve.mitre.org) has\n assigned the names CVE-2009-3720, CVE-2010-3493, CVE-2011-1015 and\n CVE-2011-1521 to these issues.\n \ng. ESXi update to third-party component python\n \n The python third-party library is updated to python 2.5.6 which\n fixes multiple security issues.\n \n The Common Vulnerabilities and Exposures project (cve.mitre.org) has\n assigned the names CVE-2009-3560, CVE-2009-3720, CVE-2010-1634,\n CVE-2010-2089, and CVE-2011-1521 to these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://lists.vmware.com/pipermail/security-announce/2012/000170.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply the missing patches.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_cwe_id(20, 59, 119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esx:4.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esx:4.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esxi:4.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esxi:4.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esxi:5.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/11/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/01/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/01/31\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"VMware ESX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/VMware/release\", \"Host/VMware/version\");\n script_require_ports(\"Host/VMware/esxupdate\", \"Host/VMware/esxcli_software_vibs\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"vmware_esx_packages.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/VMware/release\")) audit(AUDIT_OS_NOT, \"VMware ESX / ESXi\");\nif (\n !get_kb_item(\"Host/VMware/esxcli_software_vibs\") &&\n !get_kb_item(\"Host/VMware/esxupdate\")\n) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ninit_esx_check(date:\"2012-01-30\");\nflag = 0;\n\n\nif (\n esx_check(\n ver : \"ESX 4.0\",\n patch : \"ESX400-201203401-SG\",\n patch_updates : make_list(\"ESX400-201205401-SG\", \"ESX400-201206401-SG\", \"ESX400-201209401-SG\", \"ESX400-201302401-SG\", \"ESX400-201305401-SG\", \"ESX400-201310401-SG\", \"ESX400-201404401-SG\")\n )\n) flag++;\nif (esx_check(ver:\"ESX 4.0\", patch:\"ESX400-201203402-SG\")) flag++;\nif (esx_check(ver:\"ESX 4.0\", patch:\"ESX400-201203403-SG\")) flag++;\nif (esx_check(ver:\"ESX 4.0\", patch:\"ESX400-201203404-SG\")) flag++;\nif (\n esx_check(\n ver : \"ESX 4.0\",\n patch : \"ESX400-201203405-SG\",\n patch_updates : make_list(\"ESX400-201209404-SG\")\n )\n) flag++;\n\nif (\n esx_check(\n ver : \"ESX 4.1\",\n patch : \"ESX410-201201401-SG\",\n patch_updates : make_list(\"ESX410-201204401-SG\", \"ESX410-201205401-SG\", \"ESX410-201206401-SG\", \"ESX410-201208101-SG\", \"ESX410-201211401-SG\", \"ESX410-201301401-SG\", \"ESX410-201304401-SG\", \"ESX410-201307401-SG\", \"ESX410-201312401-SG\", \"ESX410-201404401-SG\", \"ESX410-Update03\")\n )\n) flag++;\nif (\n esx_check(\n ver : \"ESX 4.1\",\n patch : \"ESX410-201201402-SG\",\n patch_updates : make_list(\"ESX410-Update03\")\n )\n) flag++;\nif (\n esx_check(\n ver : \"ESX 4.1\",\n patch : \"ESX410-201201404-SG\",\n patch_updates : make_list(\"ESX410-201211405-SG\", \"ESX410-201307402-SG\", \"ESX410-201312403-SG\", \"ESX410-Update03\")\n )\n) flag++;\nif (\n esx_check(\n ver : \"ESX 4.1\",\n patch : \"ESX410-201201405-SG\",\n patch_updates : make_list(\"ESX410-201211407-SG\", \"ESX410-Update03\")\n )\n) flag++;\nif (\n esx_check(\n ver : \"ESX 4.1\",\n patch : \"ESX410-201201406-SG\",\n patch_updates : make_list(\"ESX410-201208105-SG\", \"ESX410-Update03\")\n )\n) flag++;\nif (\n esx_check(\n ver : \"ESX 4.1\",\n patch : \"ESX410-201201407-SG\",\n patch_updates : make_list(\"ESX410-Update03\")\n )\n) flag++;\n\nif (\n esx_check(\n ver : \"ESXi 4.0\",\n patch : \"ESXi400-201203401-SG\",\n patch_updates : make_list(\"ESXi400-201205401-SG\", \"ESXi400-201206401-SG\", \"ESXi400-201209401-SG\", \"ESXi400-201302401-SG\", \"ESXi400-201305401-SG\", \"ESXi400-201310401-SG\", \"ESXi400-201404401-SG\")\n )\n) flag++;\n\nif (\n esx_check(\n ver : \"ESXi 4.1\",\n patch : \"ESXi410-201201401-SG\",\n patch_updates : make_list(\"ESXi410-201204401-SG\", \"ESXi410-201205401-SG\", \"ESXi410-201206401-SG\", \"ESXi410-201208101-SG\", \"ESXi410-201211401-SG\", \"ESXi410-201301401-SG\", \"ESXi410-201304401-SG\", \"ESXi410-201307401-SG\", \"ESXi410-201312401-SG\", \"ESXi410-201404401-SG\", \"ESXi410-Update03\")\n )\n) flag++;\n\nif (esx_check(ver:\"ESXi 5.0\", vib:\"VMware:esx-base:5.0.0-0.10.608089\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T16:33:50", "description": "The remote VMware ESX / ESXi host is missing a security-related patch.\nIt is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several third-party libraries :\n\n - COS kernel\n - cURL\n - python\n - rpm", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-03-03T00:00:00", "type": "nessus", "title": "VMware ESX / ESXi Service Console and Third-Party Libraries Multiple Vulnerabilities (VMSA-2012-0001) (remote check)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3560", "CVE-2009-3720", "CVE-2010-0547", "CVE-2010-0787", "CVE-2010-1634", "CVE-2010-2059", "CVE-2010-2089", "CVE-2010-3493", "CVE-2010-4649", "CVE-2011-0695", "CVE-2011-0711", "CVE-2011-0726", "CVE-2011-1015", "CVE-2011-1044", "CVE-2011-1078", "CVE-2011-1079", "CVE-2011-1080", "CVE-2011-1093", "CVE-2011-1163", "CVE-2011-1166", "CVE-2011-1170", "CVE-2011-1171", "CVE-2011-1172", "CVE-2011-1182", "CVE-2011-1494", "CVE-2011-1495", "CVE-2011-1521", "CVE-2011-1573", "CVE-2011-1576", "CVE-2011-1577", "CVE-2011-1593", "CVE-2011-1678", "CVE-2011-1745", "CVE-2011-1746", "CVE-2011-1763", "CVE-2011-1776", "CVE-2011-1780", "CVE-2011-1936", "CVE-2011-2022", "CVE-2011-2192", "CVE-2011-2213", "CVE-2011-2482", "CVE-2011-2491", "CVE-2011-2492", "CVE-2011-2495", "CVE-2011-2517", "CVE-2011-2519", "CVE-2011-2522", "CVE-2011-2525", "CVE-2011-2689", "CVE-2011-2694", "CVE-2011-2901", "CVE-2011-3378"], "modified": "2021-01-06T00:00:00", "cpe": ["cpe:/o:vmware:esx", "cpe:/o:vmware:esxi"], "id": "VMWARE_VMSA-2012-0001_REMOTE.NASL", "href": "https://www.tenable.com/plugins/nessus/89105", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(89105);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2009-3560\",\n \"CVE-2009-3720\",\n \"CVE-2010-0547\",\n \"CVE-2010-0787\",\n \"CVE-2010-1634\",\n \"CVE-2010-2059\",\n \"CVE-2010-2089\",\n \"CVE-2010-3493\",\n \"CVE-2010-4649\",\n \"CVE-2011-0695\",\n \"CVE-2011-0711\",\n \"CVE-2011-0726\",\n \"CVE-2011-1015\",\n \"CVE-2011-1044\",\n \"CVE-2011-1078\",\n \"CVE-2011-1079\",\n \"CVE-2011-1080\",\n \"CVE-2011-1093\",\n \"CVE-2011-1163\",\n \"CVE-2011-1166\",\n \"CVE-2011-1170\",\n \"CVE-2011-1171\",\n \"CVE-2011-1172\",\n \"CVE-2011-1182\",\n \"CVE-2011-1494\",\n \"CVE-2011-1495\",\n \"CVE-2011-1521\",\n \"CVE-2011-1573\",\n \"CVE-2011-1576\",\n \"CVE-2011-1577\",\n \"CVE-2011-1593\",\n \"CVE-2011-1678\",\n \"CVE-2011-1745\",\n \"CVE-2011-1746\",\n \"CVE-2011-1763\",\n \"CVE-2011-1776\",\n \"CVE-2011-1780\",\n \"CVE-2011-1936\",\n \"CVE-2011-2022\",\n \"CVE-2011-2192\",\n \"CVE-2011-2213\",\n \"CVE-2011-2482\",\n \"CVE-2011-2491\",\n \"CVE-2011-2492\",\n \"CVE-2011-2495\",\n \"CVE-2011-2517\",\n \"CVE-2011-2519\",\n \"CVE-2011-2522\",\n \"CVE-2011-2525\",\n \"CVE-2011-2689\",\n \"CVE-2011-2694\",\n \"CVE-2011-2901\",\n \"CVE-2011-3378\"\n );\n script_bugtraq_id(\n 36097,\n 37203,\n 37992,\n 38326,\n 40370,\n 40863,\n 44533,\n 46073,\n 46417,\n 46488,\n 46541,\n 46616,\n 46793,\n 46839,\n 46878,\n 46919,\n 47003,\n 47024,\n 47308,\n 47343,\n 47497,\n 47534,\n 47535,\n 47791,\n 47796,\n 47843,\n 48048,\n 48058,\n 48333,\n 48441,\n 48538,\n 48641,\n 48677,\n 48899,\n 48901,\n 49141,\n 49370,\n 49373,\n 49375,\n 49408,\n 49939\n );\n script_xref(name:\"VMSA\", value:\"2012-0001\");\n\n script_name(english:\"VMware ESX / ESXi Service Console and Third-Party Libraries Multiple Vulnerabilities (VMSA-2012-0001) (remote check)\");\n script_summary(english:\"Checks the remote ESX/ESXi host's version and build number.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote VMware ESXi / ESX host is missing a security-related patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote VMware ESX / ESXi host is missing a security-related patch.\nIt is, therefore, affected by multiple vulnerabilities, including\nremote code execution vulnerabilities, in several third-party\nlibraries :\n\n - COS kernel\n - cURL\n - python\n - rpm\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2012-0001.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_cwe_id(20, 59, 119);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/01/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/01/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esx\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esxi\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Misc.\");\n\n script_dependencies(\"vmware_vsphere_detect.nbin\");\n script_require_keys(\"Host/VMware/version\", \"Host/VMware/release\");\n script_require_ports(\"Host/VMware/vsphere\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nver = get_kb_item_or_exit(\"Host/VMware/version\");\nrel = get_kb_item_or_exit(\"Host/VMware/release\");\nport = get_kb_item_or_exit(\"Host/VMware/vsphere\");\n\nesx = \"ESX/ESXi\";\n\nextract = eregmatch(pattern:\"^(ESXi?) (\\d\\.\\d).*$\", string:ver);\nif (isnull(extract))\n audit(AUDIT_UNKNOWN_APP_VER, esx);\nelse\n{\n esx = extract[1];\n ver = extract[2];\n}\n\nproduct = \"VMware \" + esx;\n\n# fix builds\nfixes = make_array(\n \"ESX 4.0\", 660575,\n \"ESXi 4.0\", 660575,\n \"ESX 4.1\", 582267,\n \"ESXi 4.1\", 582267,\n \"ESXi 5.0\", 623860\n);\n\n# security-only fix builds\nsec_only_builds = make_array(\n \"ESXi 5.0\", 608089\n);\n\nkey = esx + ' ' + ver;\nfix = NULL;\nfix = fixes[key];\nsec_fix = NULL;\nsec_fix = sec_only_builds[key];\n\nbmatch = eregmatch(pattern:'^VMware ESXi?.*build-([0-9]+)$', string:rel);\nif (empty_or_null(bmatch))\n audit(AUDIT_UNKNOWN_BUILD, product, ver);\n\nbuild = int(bmatch[1]);\n\nif (!fix)\n audit(AUDIT_INST_VER_NOT_VULN, product, ver, build);\n\nif (build < fix && build != sec_fix)\n{\n # if there is a security fix\n if (sec_fix)\n fix = fix + \" / \" + sec_fix;\n\n # properly spaced label\n if (\"ESXi\" >< esx) ver_label = ' version : ';\n else ver_label = ' version : ';\n report = '\\n ' + esx + ver_label + ver +\n '\\n Installed build : ' + build +\n '\\n Fixed build : ' + fix +\n '\\n';\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n}\nelse\n audit(AUDIT_INST_VER_NOT_VULN, product, ver, build);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:36:19", "description": "Dan Rosenberg discovered that the Linux kernel TIPC implementation contained multiple integer signedness errors. A local attacker could exploit this to gain root privileges. (CVE-2010-3859)\n\nDan Rosenberg discovered that multiple terminal ioctls did not correctly initialize structure memory. A local attacker could exploit this to read portions of kernel stack memory, leading to a loss of privacy. (CVE-2010-4075, CVE-2010-4076, CVE-2010-4077)\n\nDan Rosenberg discovered that the socket filters did not correctly initialize structure memory. A local attacker could create malicious filters to read portions of kernel stack memory, leading to a loss of privacy. (CVE-2010-4158)\n\nDan Rosenberg discovered that the Linux kernel L2TP implementation contained multiple integer signedness errors. A local attacker could exploit this to to crash the kernel, or possibly gain root privileges. (CVE-2010-4160)\n\nDan Rosenberg discovered that certain iovec operations did not calculate page counts correctly. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4162)\n\nDan Rosenberg discovered that the SCSI subsystem did not correctly validate iov segments. A local attacker with access to a SCSI device could send specially crafted requests to crash the system, leading to a denial of service. (CVE-2010-4163, CVE-2010-4668)\n\nDan Rosenberg discovered that the RDS protocol did not correctly check ioctl arguments. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4175)\n\nAlan Cox discovered that the HCI UART driver did not correctly check if a write operation was available. If the mmap_min-addr sysctl was changed from the Ubuntu default to a value of 0, a local attacker could exploit this flaw to gain root privileges. (CVE-2010-4242)\n\nBrad Spengler discovered that the kernel did not correctly account for userspace memory allocations during exec() calls. A local attacker could exploit this to consume all system memory, leading to a denial of service. (CVE-2010-4243)\n\nAlex Shi and Eric Dumazet discovered that the network stack did not correctly handle packet backlogs. A remote attacker could exploit this by sending a large amount of network traffic to cause the system to run out of memory, leading to a denial of service. (CVE-2010-4251, CVE-2010-4805)\n\nIt was discovered that the ICMP stack did not correctly handle certain unreachable messages. If a remote attacker were able to acquire a socket lock, they could send specially crafted traffic that would crash the system, leading to a denial of service.\n(CVE-2010-4526)\n\nDan Carpenter discovered that the Infiniband driver did not correctly handle certain requests. A local user could exploit this to crash the system or potentially gain root privileges. (CVE-2010-4649, CVE-2011-1044)\n\nKees Cook reported that /proc/pid/stat did not correctly filter certain memory locations. A local attacker could determine the memory layout of processes in an attempt to increase the chances of a successful memory corruption exploit. (CVE-2011-0726)\n\nTimo Warns discovered that MAC partition parsing routines did not correctly calculate block counts. A local attacker with physical access could plug in a specially crafted block device to crash the system or potentially gain root privileges. (CVE-2011-1010)\n\nTimo Warns discovered that LDM partition parsing routines did not correctly calculate block counts. A local attacker with physical access could plug in a specially crafted block device to crash the system, leading to a denial of service. (CVE-2011-1012)\n\nMatthiew Herrb discovered that the drm modeset interface did not correctly handle a signed comparison. A local attacker could exploit this to crash the system or possibly gain root privileges.\n(CVE-2011-1013)\n\nIt was discovered that the /proc filesystem did not correctly handle permission changes when programs executed. A local attacker could hold open files to examine details about programs running with higher privileges, potentially increasing the chances of exploiting additional vulnerabilities. (CVE-2011-1020)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly clear memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1078)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly check that device name strings were NULL terminated. A local attacker could exploit this to crash the system, leading to a denial of service, or leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1079)\n\nVasiliy Kulikov discovered that bridge network filtering did not check that name fields were NULL terminated. A local attacker could exploit this to leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1080)\n\nNelson Elhage discovered that the epoll subsystem did not correctly handle certain structures. A local attacker could create malicious requests that would hang the system, leading to a denial of service.\n(CVE-2011-1082)\n\nNeil Horman discovered that NFSv4 did not correctly handle certain orders of operation with ACL data. A remote attacker with access to an NFSv4 mount could exploit this to crash the system, leading to a denial of service. (CVE-2011-1090)\n\nJohan Hovold discovered that the DCCP network stack did not correctly handle certain packet combinations. A remote attacker could send specially crafted network traffic that would crash the system, leading to a denial of service. (CVE-2011-1093)\n\nPeter Huewe discovered that the TPM device did not correctly initialize memory. A local attacker could exploit this to read kernel heap memory contents, leading to a loss of privacy. (CVE-2011-1160)\n\nTimo Warns discovered that OSF partition parsing routines did not correctly clear memory. A local attacker with physical access could plug in a specially crafted block device to read kernel memory, leading to a loss of privacy. (CVE-2011-1163)\n\nVasiliy Kulikov discovered that the netfilter code did not check certain strings copied from userspace. A local attacker with netfilter access could exploit this to read kernel memory or crash the system, leading to a denial of service. (CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-2534)\n\nVasiliy Kulikov discovered that the Acorn Universal Networking driver did not correctly initialize memory. A remote attacker could send specially crafted traffic to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1173)\n\nDan Rosenberg discovered that the IRDA subsystem did not correctly check certain field sizes. If a system was using IRDA, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-1180)\n\nRyan Sweat discovered that the GRO code did not correctly validate memory. In some configurations on systems using VLANs, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1478)\n\nDan Rosenberg discovered that the X.25 Rose network stack did not correctly handle certain fields. If a system was running with Rose enabled, a remote attacker could send specially crafted traffic to gain root privileges. (CVE-2011-1493)\n\nTimo Warns discovered that the GUID partition parsing routines did not correctly validate certain structures. A local attacker with physical access could plug in a specially crafted block device to crash the system, leading to a denial of service. (CVE-2011-1577)\n\nOliver Hartkopp and Dave Jones discovered that the CAN network driver did not correctly validate certain socket structures. If this driver was loaded, a local attacker could crash the system, leading to a denial of service. (CVE-2011-1598)\n\nDan Rosenberg discovered that the DCCP stack did not correctly handle certain packet structures. A remote attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-1770)\n\nVasiliy Kulikov and Dan Rosenberg discovered that ecryptfs did not correctly check the origin of mount points. A local attacker could exploit this to trick the system into unmounting arbitrary mount points, leading to a denial of service. (CVE-2011-1833)\n\nVasiliy Kulikov discovered that taskstats listeners were not correctly handled. A local attacker could expoit this to exhaust memory and CPU resources, leading to a denial of service.\n(CVE-2011-2484)\n\nIt was discovered that Bluetooth l2cap and rfcomm did not correctly initialize structures. A local attacker could exploit this to read portions of the kernel stack, leading to a loss of privacy.\n(CVE-2011-2492)\n\nFernando Gont discovered that the IPv6 stack used predictable fragment identification numbers. A remote attacker could exploit this to exhaust network resources, leading to a denial of service.\n(CVE-2011-2699)\n\nThe performance counter subsystem did not correctly handle certain counters. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2918)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2011-09-14T00:00:00", "type": "nessus", "title": "USN-1204-1 : linux-fsl-imx51 vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3859", "CVE-2010-4075", "CVE-2010-4076", "CVE-2010-4077", "CVE-2010-4158", "CVE-2010-4160", "CVE-2010-4162", "CVE-2010-4163", "CVE-2010-4175", "CVE-2010-4242", "CVE-2010-4243", "CVE-2010-4251", "CVE-2010-4526", "CVE-2010-4649", "CVE-2010-4668", "CVE-2010-4805", "CVE-2011-0726", "CVE-2011-1010", "CVE-2011-1012", "CVE-2011-1013", "CVE-2011-1020", "CVE-2011-1044", "CVE-2011-1078", "CVE-2011-1079", "CVE-2011-1080", "CVE-2011-1082", "CVE-2011-1090", "CVE-2011-1093", "CVE-2011-1160", "CVE-2011-1163", "CVE-2011-1170", "CVE-2011-1171", "CVE-2011-1172", "CVE-2011-1173", "CVE-2011-1180", "CVE-2011-1478", "CVE-2011-1493", "CVE-2011-1577", "CVE-2011-1598", "CVE-2011-1770", "CVE-2011-1833", "CVE-2011-2484", "CVE-2011-2492", "CVE-2011-2534", "CVE-2011-2699", "CVE-2011-2918"], "modified": "2016-01-14T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux"], "id": "UBUNTU_USN-1204-1.NASL", "href": "https://www.tenable.com/plugins/nessus/56192", "sourceData": "# This script was automatically generated from Ubuntu Security\n# Notice USN-1204-1. It is released under the Nessus Script \n# Licence.\n#\n# Ubuntu Security Notices are (C) Canonical, Inc.\n# See http://www.ubuntu.com/usn/\n# Ubuntu(R) is a registered trademark of Canonical, Inc.\n\nif (!defined_func(\"bn_random\")) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(56192);\n script_version(\"$Revision: 1.5 $\");\n script_cvs_date(\"$Date: 2016/01/14 15:30:09 $\");\n\n script_cve_id(\"CVE-2010-3859\", \"CVE-2010-4075\", \"CVE-2010-4076\&quo