This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.

INFORMATION

Title : Linux kernel vulnerabilities
 
Name : USN-894-1 First Publication : 2010-02-05
Vendor : Last Modification : 2010-02-05
Revision : N/A
Severity (Vendor) : N/A

SECURITY-DATABASE SCORING CVSS v2

Cvss Base Score : 10 Attack Range : Network
Cvss Impact Score : 10 Attack Complexity : Low
Cvss Expoit Score : 10 Authentification : None Required

Calculate full CVSS 2.0 Vectors scores

DETAIL

: A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
linux-image-2.6.15-55-386 2.6.15-55.82
linux-image-2.6.15-55-686 2.6.15-55.82
linux-image-2.6.15-55-amd64-generic 2.6.15-55.82
linux-image-2.6.15-55-amd64-k8 2.6.15-55.82
linux-image-2.6.15-55-amd64-server 2.6.15-55.82
linux-image-2.6.15-55-amd64-xeon 2.6.15-55.82
linux-image-2.6.15-55-hppa32 2.6.15-55.82
linux-image-2.6.15-55-hppa32-smp 2.6.15-55.82
linux-image-2.6.15-55-hppa64 2.6.15-55.82
linux-image-2.6.15-55-hppa64-smp 2.6.15-55.82
linux-image-2.6.15-55-itanium 2.6.15-55.82
linux-image-2.6.15-55-itanium-smp 2.6.15-55.82
linux-image-2.6.15-55-k7 2.6.15-55.82
linux-image-2.6.15-55-mckinley 2.6.15-55.82
linux-image-2.6.15-55-mckinley-smp 2.6.15-55.82
linux-image-2.6.15-55-powerpc 2.6.15-55.82
linux-image-2.6.15-55-powerpc-smp 2.6.15-55.82
linux-image-2.6.15-55-powerpc64-smp 2.6.15-55.82
linux-image-2.6.15-55-server 2.6.15-55.82
linux-image-2.6.15-55-server-bigiron 2.6.15-55.82
linux-image-2.6.15-55-sparc64 2.6.15-55.82
linux-image-2.6.15-55-sparc64-smp 2.6.15-55.82

Ubuntu 8.04 LTS:
linux-image-2.6.24-27-386 2.6.24-27.65
linux-image-2.6.24-27-generic 2.6.24-27.65
linux-image-2.6.24-27-hppa32 2.6.24-27.65
linux-image-2.6.24-27-hppa64 2.6.24-27.65
linux-image-2.6.24-27-itanium 2.6.24-27.65
linux-image-2.6.24-27-lpia 2.6.24-27.65
linux-image-2.6.24-27-lpiacompat 2.6.24-27.65
linux-image-2.6.24-27-mckinley 2.6.24-27.65
linux-image-2.6.24-27-openvz 2.6.24-27.65
linux-image-2.6.24-27-powerpc 2.6.24-27.65
linux-image-2.6.24-27-powerpc-smp 2.6.24-27.65
linux-image-2.6.24-27-powerpc64-smp 2.6.24-27.65
linux-image-2.6.24-27-rt 2.6.24-27.65
linux-image-2.6.24-27-server 2.6.24-27.65
linux-image-2.6.24-27-sparc64 2.6.24-27.65
linux-image-2.6.24-27-sparc64-smp 2.6.24-27.65
linux-image-2.6.24-27-virtual 2.6.24-27.65
linux-image-2.6.24-27-xen 2.6.24-27.65

Ubuntu 8.10:
linux-image-2.6.27-17-generic 2.6.27-17.45
linux-image-2.6.27-17-server 2.6.27-17.45
linux-image-2.6.27-17-virtual 2.6.27-17.45

Ubuntu 9.04:
linux-image-2.6.28-18-generic 2.6.28-18.59
linux-image-2.6.28-18-imx51 2.6.28-18.59
linux-image-2.6.28-18-iop32x 2.6.28-18.59
linux-image-2.6.28-18-ixp4xx 2.6.28-18.59
linux-image-2.6.28-18-lpia 2.6.28-18.59
linux-image-2.6.28-18-server 2.6.28-18.59
linux-image-2.6.28-18-versatile 2.6.28-18.59
linux-image-2.6.28-18-virtual 2.6.28-18.59

Ubuntu 9.10:
kernel-image-2.6.31-108-imx51-di 2.6.31-108.21
linux-image-2.6.31-19-386 2.6.31-19.56
linux-image-2.6.31-19-generic 2.6.31-19.56
linux-image-2.6.31-19-generic-pae 2.6.31-19.56
linux-image-2.6.31-19-ia64 2.6.31-19.56
linux-image-2.6.31-19-lpia 2.6.31-19.56
linux-image-2.6.31-19-powerpc 2.6.31-19.56
linux-image-2.6.31-19-powerpc-smp 2.6.31-19.56
linux-image-2.6.31-19-powerpc64-smp 2.6.31-19.56
linux-image-2.6.31-19-server 2.6.31-19.56
linux-image-2.6.31-19-sparc64 2.6.31-19.56
linux-image-2.6.31-19-sparc64-smp 2.6.31-19.56
linux-image-2.6.31-19-virtual 2.6.31-19.56
linux-image-2.6.31-211-dove 2.6.31-211.22
linux-image-2.6.31-211-dove-z0 2.6.31-211.22
linux-image-2.6.31-304-ec2 2.6.31-304.10

After a standard system upgrade you need to reboot your computer to
effect the necessary changes.

ATTENTION: Due to an unavoidable ABI change (except for Ubuntu 6.06)
the kernel updates have been given a new version number, which requires
you to recompile and reinstall all third party kernel modules you
might have installed. If you use linux-restricted-modules, you have to
update that package as well to get modules which work with the new kernel
version. Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-server, linux-powerpc), a standard system
upgrade will automatically perform this as well.

Details follow:

Amerigo Wang and Eric Sesterhenn discovered that the HFS and ext4
filesystems did not correctly check certain disk structures. If a user
were tricked into mounting a specially crafted filesystem, a remote
attacker could crash the system or gain root privileges. (CVE-2009-4020,
CVE-2009-4308)

It was discovered that FUSE did not correctly check certain requests.
A local attacker with access to FUSE mounts could exploit this to
crash the system or possibly gain root privileges. Ubuntu 9.10 was not
affected. (CVE-2009-4021)

It was discovered that KVM did not correctly decode certain guest
instructions. A local attacker in a guest could exploit this to
trigger high scheduling latency in the host, leading to a denial of
service. Ubuntu 6.06 was not affected. (CVE-2009-4031)

It was discovered that the OHCI fireware driver did not correctly
handle certain ioctls. A local attacker could exploit this to crash
the system, or possibly gain root privileges. Ubuntu 6.06 was not
affected. (CVE-2009-4138)

Tavis Ormandy discovered that the kernel did not correctly handle
O_ASYNC on locked files. A local attacker could exploit this to gain
root privileges. Only Ubuntu 9.04 and 9.10 were affected. (CVE-2009-4141)

Neil Horman and Eugene Teo discovered that the e1000 and e1000e
network drivers did not correctly check the size of Ethernet frames.
An attacker on the local network could send specially crafted traffic
to bypass packet filters, crash the system, or possibly gain root
privileges. (CVE-2009-4536, CVE-2009-4538)

It was discovered that "print-fatal-signals" reporting could show
arbitrary kernel memory contents. A local attacker could exploit
this, leading to a loss of privacy. By default this is disabled in
Ubuntu and did not affect Ubuntu 6.06. (CVE-2010-0003)

Olli Jarva and Tuomo Untinen discovered that IPv6 did not correctly
handle jumbo frames. A remote attacker could exploit this to crash the
system, leading to a denial of service. Only Ubuntu 9.04 and 9.10 were
affected. (CVE-2010-0006)

Florian Westphal discovered that bridging netfilter rules could be
modified by unprivileged users. A local attacker could disrupt network
traffic, leading to a denial of service. (CVE-2010-0007)

Al Viro discovered that certain mremap operations could leak kernel
memory. A local attacker could exploit this to consume all available
memory, leading to a denial of service. (CVE-2010-0291)



ORIGINALSOURCES

Url : http://www.ubuntu.com/usn/USN-894-1


CWE COMMON WEAKNESS ENUMERATION

CWE-189 - Numeric Errors (CWE/SANS Top 25)
CWE-399 - Resource Management Errors
CWE-264 - Permissions, Privileges, and Access Controls
CWE-20 - Improper Input Validation
CWE-200 - Information Exposure
CWE-119 - Failure to Constrain Operations within the Bounds of a Memory Buffer


OVAL ID

oval:org.mitre.oval:def:9527, drivers/firewire/ohci.c in the Linux kernel before 2.6.32-git9, when packet-per-buffer mode is used, allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unknown other impact via an unspecified ioctl
oval:org.mitre.oval:def:10607, drivers/net/e1000/e1000_main.c in the e1000 driver in the Linux kernel 2.6.32.3 and earlier handles Ethernet frames that exceed the MTU by processing certain trailing payload data as if it were a complete frame, which allows remote attackers to bypass pac
oval:org.mitre.oval:def:9702, drivers/net/e1000e/netdev.c in the e1000e driver in the Linux kernel 2.6.32.3 and earlier does not properly check the size of an Ethernet frame that exceeds the MTU, which allows remote attackers to have an unspecified impact via crafted packets, a relate
oval:org.mitre.oval:def:6750, hfs Subsystem Stack-based Buffer Overflow Vulnerability
oval:org.mitre.oval:def:7453, Linux e1000 Driver 'Jumbo Frame' Handling Remote Security Bypass Vulnerability
oval:org.mitre.oval:def:7016, Linux e1000e Driver 'Jumbo Frame' Handling Remote Security Bypass Vulnerability
oval:org.mitre.oval:def:7376, Linux Kernel 'drivers/firewire/ohci.c' NULL Pointer Dereference Denial of Service Vulnerability
oval:org.mitre.oval:def:7054, Linux Kernel 'fasync_helper()' Local Privilege Escalation Vulnerability
oval:org.mitre.oval:def:6955, Linux Kernel 'fuse_direct_io()' Invalid Pointer Dereference Local Denial of Service Vulnerability
oval:org.mitre.oval:def:9630, net/bridge/netfilter/ebtables.c in the ebtables module in the netfilter framework in the Linux kernel before 2.6.33-rc4 does not require the CAP_NET_ADMIN capability for setting or modifying rules, which allows local users to bypass intended access restri
oval:org.mitre.oval:def:10091, Stack-based buffer overflow in the hfs subsystem in the Linux kernel 2.6.32 allows remote attackers to have an unspecified impact via a crafted Hierarchical File System (HFS) filesystem, related to the hfs_readdir function in fs/hfs/dir.c.
oval:org.mitre.oval:def:11089, The do_insn_fetch function in arch/x86/kvm/emulate.c in the x86 emulator in the KVM subsystem in the Linux kernel before 2.6.32-rc8-next-20091125 tries to interpret instructions that contain too many bytes to be valid, which allows guest OS users to cause
oval:org.mitre.oval:def:11103, The ext4_decode_error function in fs/ext4/super.c in the ext4 filesystem in the Linux kernel before 2.6.32 allows user-assisted remote attackers to cause a denial of service (NULL pointer dereference), and possibly have unspecified other impact, via a cra
oval:org.mitre.oval:def:10516, The fuse_direct_io function in fs/fuse/file.c in the fuse subsystem in the Linux kernel before 2.6.32-rc7 might allow attackers to cause a denial of service (invalid pointer dereference and OOPS) via vectors possibly related to a memory-consumption attack
oval:org.mitre.oval:def:11824, The Linux kernel before 2.6.32.4 allows local users to gain privileges or cause a denial of service (panic) by calling the (1) mmap or (2) mremap function, aka the "do_mremap() mess" or "mremap/mmap mess."
oval:org.mitre.oval:def:10550, The print_fatal_signal function in kernel/signal.c in the Linux kernel before 2.6.32.4 on the i386 platform, when print-fatal-signals is enabled, allows local users to discover the contents of arbitrary memory locations by jumping to an address and then r
oval:org.mitre.oval:def:9201, Use-after-free vulnerability in the fasync_helper function in fs/fcntl.c in the Linux kernel before 2.6.33-rc4-git1 allows local users to gain privileges via vectors that include enabling O_ASYNC (aka FASYNC or FIOASYNC) on a locked file, and then closing

oval:org.mitre.oval:def:11831, The operating system installed on the system is Red Hat Enterprise Linux 4
oval:org.mitre.oval:def:11414, The operating system installed on the system is Red Hat Enterprise Linux 5
oval:org.mitre.oval:def:5506, VMware ESX Server 4.0 is installed


CPE COMMON PLATFORM ENUMERATION


OPEN SOURCE VULNERABILTY DATABASE (OSVDB)

62379 : Linux Kernel mmap / mremap Function Local Privilege Escalation.
61984 : Linux Kernel kernel/signal.c print_fatal_signal Function Log File Local Disclosure.
61876 : Linux Kernel net/ipv6/exthdrs.c ipv6_hop_jumbo Function IPv6 Jumbograms NULL Dereference DoS.
61788 : Linux Kernel drivers/net/e1000e/netdev.c Ethernet Frame MTU Check Weakness Crafted Packet Remote DoS.
61769 : Linux Kernel e1000 Driver drivers/net/e1000/e1000_main.c MTU Trailing Payload Data Packet Filter Bypass.
61687 : Linux Kernel fs/fcntl.c fasync_helper Function Use-after-free Local Privilege Escalation.
61670 : Linux Kernel net/bridge/netfilter/ebtables.c do_ebt_set_ctl Function Ethernet Bridging ACL Manipulation.
61309 : Linux Kernel drivers/firewire/ohci.c ISO Packet IOCTL Handling Local DoS.
61035 : Linux Kernel fs/ext4/super.c ext4_decode_error Function DoS.
60795 : Linux Kernel hfs Subsystem fs/hfs/dir.c hfs_readdir Function Remote Overflow.
60559 : Linux Kernel KVM Subsystem x86 Emulator arch/x86/kvm/emulate.c do_insn_fetch Function SMP Support Unspecified DoS .
60558 : Linux Kernel fuse Subsystem fs/fuse/file.c fuse_direct_io Function Local DoS.


INTERNAL SOURCES (Detail)

CVSS v2
Name Severity Base Score Impact Score Exploit Score Attack Range Attack Complexity Auth
CVE-2009-4538 Critical (Critical) 10 10 10 Network Low None Required
CVE-2009-4536 High (High) 7.8 6.9 10 Network Low None Required
CVE-2009-4031 High (High) 7.8 6.9 10 Network Low None Required
CVE-2009-4020 High (High) 7.8 6.9 10 Network Low None Required
CVE-2009-4141 High (High) 7.2 10 3.9 Local Low None Required
CVE-2010-0006 High (High) 7.1 6.9 8.6 Network Medium None Required
CVE-2009-4308 High (High) 7.1 6.9 8.6 Network Medium None Required
CVE-2010-0003 Medium (Medium) 5.4 7.8 3.4 Local Medium None Required
CVE-2009-4021 Medium (Medium) 4.9 6.9 3.9 Local Low None Required
CVE-2009-4138 Medium (Medium) 4.7 6.9 3.4 Local Medium None Required
CVE-2010-0291 Medium (Medium) 4.6 6.4 3.9 Local Low None Required
CVE-2010-0007 Low (Low) 2.1 2.9 3.9 Local Low None Required