Lucene search

K
redhatRedHatRHSA-2009:1540
HistoryNov 03, 2009 - 12:00 a.m.

(RHSA-2009:1540) Important: kernel-rt security, bug fix, and enhancement update

2009-11-0300:00:00
access.redhat.com
25

7 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.073 Low

EPSS

Percentile

93.4%

The kernel-rt packages contain the Linux kernel, the core of any Linux
operating system.

Security fixes:

  • the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags were not cleared when a
    setuid or setgid program was executed. A local, unprivileged user could use
    this flaw to bypass the mmap_min_addr protection mechanism and perform a
    NULL pointer dereference attack, or bypass the Address Space Layout
    Randomization (ASLR) security feature. (CVE-2009-1895, Important)

  • a system with SELinux enforced was more permissive in allowing local
    users in the unconfined_t domain to map low memory areas even if the
    mmap_min_addr restriction was enabled. This could aid in the local
    exploitation of NULL pointer dereference bugs. (CVE-2009-2695, Important)

  • missing initialization flaws were found in getname() implementations in
    numerous network protocol implementations in the Linux kernel. Certain
    data structures in these getname() implementations were not initialized
    properly before being copied to user-space. These flaws could lead to an
    information leak. (CVE-2009-3002, Important)

  • a NULL pointer dereference flaw was found in each of the following
    functions in the Linux kernel: pipe_read_open(), pipe_write_open(), and
    pipe_rdwr_open(). When the mutex lock is not held, the i_pipe pointer could
    be released by other processes before it is used to update the pipe’s
    reader and writer counters. This could lead to a local denial of service or
    privilege escalation. (CVE-2009-3547, Important)

  • a flaw was found in the Realtek r8169 Ethernet driver in the Linux
    kernel. pci_unmap_single() presented a memory leak that could lead to IOMMU
    space exhaustion and a system crash. An attacker on the local network could
    abuse this flaw by using jumbo frames for large amounts of network traffic.
    (CVE-2009-3613, Important)

  • NULL pointer dereference flaws were found in the r128 driver in the
    Linux kernel. Checks to test if the Concurrent Command Engine state was
    initialized were missing in private IOCTL functions. An attacker could use
    these flaws to cause a local denial of service or escalate their
    privileges. (CVE-2009-3620, Important)

  • Kees Cook and Steve Beattie discovered a race condition in the /proc
    code in the Linux kernel. This could lead to information in the
    “/proc/[pid]/maps” and “/proc/[pid]/smaps” files being leaked to users (who
    would otherwise not have access to this information) during ELF loading.
    This could help a local attacker bypass the ASLR security feature.
    (CVE-2009-2691, Moderate)

  • a NULL pointer dereference flaw was found in the md driver in the Linux
    kernel. If the suspend_lo or suspend_hi file in “/sys/” is modified when
    the disk array is inactive, it could lead to a local denial of service or
    privilege escalation. By default, only root can write to these two files.
    (CVE-2009-2849, Moderate)

  • an information leak was found in the Linux kernel. On AMD64 systems,
    32-bit processes could access and read certain 64-bit registers by
    temporarily switching themselves to 64-bit mode. (CVE-2009-2910, Moderate)

  • padding data in several core network structures was not initialized
    properly before being sent to user-space, possibly leading to information
    leaks. (CVE-2009-3228, CVE-2009-3612, Moderate)

  • the unix_stream_connect() function in the Linux kernel did not check if a
    UNIX domain socket was in the shutdown state. This could lead to a
    deadlock. A local, unprivileged user could use this flaw to cause a denial
    of service. (CVE-2009-3621, Moderate)

These updated packages also include bug fixes and enhancements. Users are
directed to the Realtime Security Update Release Notes for version 1.1 for
information on these changes, which will be available shortly from:

http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/

Users should upgrade to these updated packages, which contain backported
patches to correct these issues and add enhancements. The system must be
rebooted for this update to take effect.

7 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.073 Low

EPSS

Percentile

93.4%