Executive Summary

Summary
Title Linux kernel vulnerabilities
Informations
Name USN-131-1 First vendor Publication 2005-05-23
Vendor Ubuntu Last vendor Modification 2005-05-23
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 7.2 Attack Range Local
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 3.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

linux-image-2.6.10-5-386 linux-image-2.6.10-5-686 linux-image-2.6.10-5-686-smp linux-image-2.6.10-5-amd64-generic linux-image-2.6.10-5-amd64-k8 linux-image-2.6.10-5-amd64-k8-smp linux-image-2.6.10-5-amd64-xeon linux-image-2.6.10-5-itanium linux-image-2.6.10-5-itanium-smp linux-image-2.6.10-5-k7 linux-image-2.6.10-5-k7-smp linux-image-2.6.10-5-mckinley linux-image-2.6.10-5-mckinley-smp linux-image-2.6.10-5-power3 linux-image-2.6.10-5-power3-smp linux-image-2.6.10-5-power4 linux-image-2.6.10-5-power4-smp linux-image-2.6.10-5-powerpc linux-image-2.6.10-5-powerpc-smp linux-image-2.6.8.1-5-386 linux-image-2.6.8.1-5-686 linux-image-2.6.8.1-5-686-smp linux-image-2.6.8.1-5-amd64-generic linux-image-2.6.8.1-5-amd64-k8 linux-image-2.6.8.1-5-amd64-k8-smp linux-image-2.6.8.1-5-amd64-xeon linux-image-2.6.8.1-5-k7 linux-image-2.6.8.1-5-k7-smp linux-image-2.6.8.1-5-power3 linux-image-2.6.8.1-5-power3-smp linux-image-2.6.8.1-5-power4 linux-image-2.6.8.1-5-power4-smp linux-image-2.6.8.1-5-powerpc linux-image-2.6.8.1-5-powerpc-smp linux-patch-debian-2.6.8.1 linux-patch-ubuntu-2.6.10

The problem can be corrected by upgrading the affected package to version 2.6.8.1-16.18 (for Ubuntu 4.10), or 2.6.10-34.1 (for Ubuntu 5.04). After doing a standard system upgrade you need to reboot your computer to effect the necessary changes.

Details follow:

Colin Percival discovered an information disclosure in the "Hyper Threading Technology" architecture in processors which are capable of simultaneous multithreading (in particular Intel Pentium 4, Intel Mobile Pentium 4, and Intel Xeon processors). This allows a malicious thread to monitor the execution of another thread on the same CPU. This could be exploited to steal cryptographic keys, passwords, or other arbitrary data from unrelated processes. Since it is not possible to provide a safe patch in a short time, HyperThreading has been disabled in the updated kernel packages for now. You can manually enable HyperThreading again by passing the kernel parameter "ht=on" at boot. (CAN-2005-0109)

A Denial of Service vulnerability was discovered in the fib_seq_start() function(). This allowed a local user to crash the system by reading /proc/net/route in a certain way. (CAN-2005-1041)

Paul Starzetz found an integer overflow in the ELF binary format loader's core dump function. By creating and executing a specially crafted ELF executable, a local attacker could exploit this to execute arbitrary code with root and kernel privileges. However, it is believed that this flaw is not actually exploitable on 2.6.x kernels (as shipped by Ubuntu). (CAN-2005-1263)

Alexander Nyberg discovered a flaw in the keyring kernel module. This allowed a local attacker to cause a kernel crash on SMP machines by calling key_user_lookup() in a particular way. This vulnerability does not affect the kernel of Ubuntu 4.10. (CAN-2005-1368)

The it87 and via686a hardware monitoring drivers created a sysfs file named "alarms" with write permissions, but they are not designed to be writeable. This allowed a local user to crash the kernel by attempting to write to these files. (CAN-2005-1369)

It was discovered that the drivers for raw devices (CAN-2005-1264) and pktcdvd devices (CAN-2005-1589) used the wrong function to pass arguments to the underlying block device. This made the kernel address space accessible to userspace applications. This allowed any local user with at least read access to a device in /dev/pktcdvd/* (usually members of the "cdrom" group) or /dev/raw/* (usually only root) to execute arbitrary code with kernel privileges. Ubuntu 4.10's kernel is not affected by the pktcdvd flaw since it does not yet support packet CD writing.

Original Source

Url : http://www.ubuntu.com/usn/USN-131-1

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:10264
 
Oval ID: oval:org.mitre.oval:def:10264
Title: Raw character devices (raw.c) in the Linux kernel 2.6.x call the wrong function before passing an ioctl to the block device, which crosses security boundaries by making kernel address space accessible from user space, a similar vulnerability to CVE-2005-1589.
Description: Raw character devices (raw.c) in the Linux kernel 2.6.x call the wrong function before passing an ioctl to the block device, which crosses security boundaries by making kernel address space accessible from user space, a similar vulnerability to CVE-2005-1589.
Family: unix Class: vulnerability
Reference(s): CVE-2005-1264
Version: 5
Platform(s): Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:10909
 
Oval ID: oval:org.mitre.oval:def:10909
Title: The elf_core_dump function in binfmt_elf.c for Linux kernel 2.x.x to 2.2.27-rc2, 2.4.x to 2.4.31-pre1, and 2.6.x to 2.6.12-rc4 allows local users to execute arbitrary code via an ELF binary that, in certain conditions involving the create_elf_tables function, causes a negative length argument to pass a signed integer comparison, leading to a buffer overflow.
Description: The elf_core_dump function in binfmt_elf.c for Linux kernel 2.x.x to 2.2.27-rc2, 2.4.x to 2.4.31-pre1, and 2.6.x to 2.6.12-rc4 allows local users to execute arbitrary code via an ELF binary that, in certain conditions involving the create_elf_tables function, causes a negative length argument to pass a signed integer comparison, leading to a buffer overflow.
Family: unix Class: vulnerability
Reference(s): CVE-2005-1263
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:1122
 
Oval ID: oval:org.mitre.oval:def:1122
Title: Linux Kernel elf_core_dump() Buffer Overflow
Description: The elf_core_dump function in binfmt_elf.c for Linux kernel 2.x.x to 2.2.27-rc2, 2.4.x to 2.4.31-pre1, and 2.6.x to 2.6.12-rc4 allows local users to execute arbitrary code via an ELF binary that, in certain conditions involving the create_elf_tables function, causes a negative length argument to pass a signed integer comparison, leading to a buffer overflow.
Family: unix Class: vulnerability
Reference(s): CVE-2005-1263
Version: 1
Platform(s): Red Hat Enterprise Linux 3
Product(s): Linux kernel
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:9487
 
Oval ID: oval:org.mitre.oval:def:9487
Title: The fib_seq_start function in fib_hash.c in Linux kernel allows local users to cause a denial of service (system crash) via /proc/net/route.
Description: The fib_seq_start function in fib_hash.c in Linux kernel allows local users to cause a denial of service (system crash) via /proc/net/route.
Family: unix Class: vulnerability
Reference(s): CVE-2005-1041
Version: 5
Platform(s): Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:9747
 
Oval ID: oval:org.mitre.oval:def:9747
Title: Hyper-Threading technology, as used in FreeBSD and other operating systems that are run on Intel Pentium and other processors, allows local users to use a malicious thread to create covert channels, monitor the execution of other threads, and obtain sensitive information such as cryptographic keys, via a timing attack on memory cache misses.
Description: Hyper-Threading technology, as used in FreeBSD and other operating systems that are run on Intel Pentium and other processors, allows local users to use a malicious thread to create covert channels, monitor the execution of other threads, and obtain sensitive information such as cryptographic keys, via a timing attack on memory cache misses.
Family: unix Class: vulnerability
Reference(s): CVE-2005-0109
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1
Os 91
Os 648
Os 12
Os 2
Os 1
Os 1
Os 3
Os 5
Os 5

OpenVAS Exploits

Date Description
2009-10-10 Name : SLES9: Security update for kernel
File : nvt/sles9p5009598.nasl
2009-10-10 Name : SLES9: Security update for Linux kernel
File : nvt/sles9p5015723.nasl
2008-09-04 Name : FreeBSD Security Advisory (FreeBSD-SA-05:09.htt.asc)
File : nvt/freebsdsa_htt.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
16609 Linux Kernel raw Device ioctl_by_bdev() Function Kernel Memory Corruption

The Linux Kernel contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when input to the raw Device ioctl_by_bdev() function is not validated correctly. This flaw may lead to execution of arbitrary code with kernel level privileges and a loss of Integrity.
16608 Linux Kernel pktcdvd Device ioctl_by_bdev() Function Kernel Memory Corruption

16481 Linux Kernel key.c key_user_lookup SMP DoS

16440 Multiple Unix Vendor Hyper-Threading (HTT) Arbitrary Thread Process Informati...

16424 Linux Kernel ELF Core Dump Privilege Escalation

16065 Linux Kernel via686a Driver Insecure File Creation

The hardware monitoring drivers for the it87 and via686a chipsets in the Linux kernel contains a flaw that may allow a local denial of service. These drivers create a sysfs file called "alarms" incorrectly in R/W mode. The issue is triggered when a local user attempts to write to this file, and will result in loss of availability for the system by utilizing the CPU at 100% until the system is rebooted.
16064 Linux Kernel it87 Driver Insecure File Creation

The hardware monitoring drivers for the it87 and via686a chipsets in the Linux kernel contains a flaw that may allow a local denial of service. These drivers create a sysfs file called "alarms" incorrectly in R/W mode. The issue is triggered when a local user attempts to write to this file, and will result in loss of availability for the system by utilizing the CPU at 100% until the system is rebooted.
15729 Linux Kernel fib_seq_start Function Local DoS

Nessus® Vulnerability Scanner

Date Description
2006-07-05 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2005-420.nasl - Type : ACT_GATHER_INFO
2006-07-05 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2005-366.nasl - Type : ACT_GATHER_INFO
2006-07-03 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2005-472.nasl - Type : ACT_GATHER_INFO
2006-07-03 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2005-476.nasl - Type : ACT_GATHER_INFO
2006-07-03 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2005-800.nasl - Type : ACT_GATHER_INFO
2006-01-15 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-131-1.nasl - Type : ACT_GATHER_INFO
2006-01-15 Name : The remote Mandrake Linux host is missing one or more security updates.
File : mandrake_MDKSA-2005-219.nasl - Type : ACT_GATHER_INFO
2005-10-19 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2005-800.nasl - Type : ACT_GATHER_INFO
2005-08-30 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2005-529.nasl - Type : ACT_GATHER_INFO
2005-07-01 Name : The remote Mandrake Linux host is missing one or more security updates.
File : mandrake_MDKSA-2005-110.nasl - Type : ACT_GATHER_INFO
2005-07-01 Name : The remote Mandrake Linux host is missing one or more security updates.
File : mandrake_MDKSA-2005-111.nasl - Type : ACT_GATHER_INFO
2005-06-10 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2005-420.nasl - Type : ACT_GATHER_INFO
2005-06-10 Name : The remote host is missing a vendor-supplied security patch
File : suse_SA_2005_029.nasl - Type : ACT_GATHER_INFO
2005-06-08 Name : The remote Mandrake Linux host is missing one or more security updates.
File : mandrake_MDKSA-2005-096.nasl - Type : ACT_GATHER_INFO
2005-06-02 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2005-476.nasl - Type : ACT_GATHER_INFO
2005-05-28 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2005-472.nasl - Type : ACT_GATHER_INFO
2005-05-28 Name : The remote Fedora Core host is missing a security update.
File : fedora_2005-392.nasl - Type : ACT_GATHER_INFO
2005-04-19 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2005-366.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 11:59:28
  • Multiple Updates