Multiple vulnerabilities in Linux kernel

1) NULL pointer dereference

EUVDB-ID: #VU44578

Risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2011-1478

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trigger denial of service conditions via a malformed VLAN frame.

Mitigation

Update to version 2.6.38.

Vulnerable software versions

Linux kernel: 2.6.0 - 2.6.37.6

CPE2.3

External links

https://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=66c46d741e2e60f0e8b625b80edb0ab820c46d7a
https://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=6d152e23ad1a7a5b40fef1f42e017d66e6115159
https://mirror.anl.gov/pub/linux/kernel/v2.6/ChangeLog-2.6.38
https://openwall.com/lists/oss-security/2011/03/28/1
https://secunia.com/advisories/46397
https://securityreason.com/securityalert/8480
https://www.securityfocus.com/archive/1/520102/100/0/threaded
https://www.vmware.com/security/advisories/VMSA-2011-0012.html
https://bugzilla.redhat.com/show_bug.cgi?id=691270

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) NULL pointer dereference

EUVDB-ID: #VU44642

Risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2011-1076

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in the Linux kernel before 2.6.38 allows remote DNS servers to cause a denial of service (NULL pointer dereference and OOPS) by not providing a valid response to a DNS query, as demonstrated by an erroneous grand.centrall.org query, which triggers improper handling of error data within a DNS resolver key. A remote attacker can perform a denial of service (DoS) attack.

Mitigation

Update to version 2.6.38.

Vulnerable software versions

Linux kernel: 2.6.0 - 2.6.37.6

CPE2.3

External links

https://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=1362fa078dae16776cd439791c6605b224ea6171
https://openwall.com/lists/oss-security/2011/03/04/13
https://securitytracker.com/id?1025162
https://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.38

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) NULL pointer dereference

EUVDB-ID: #VU44878

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2011-1093

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in net/dccp/input.c in the Datagram Congestion Control Protocol (DCCP) implementation in the Linux kernel before 2.6.38 does not properly handle packets for a CLOSED endpoint, which allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by sending a DCCP-Close packet followed by a DCCP-Reset packet. A remote attacker can perform a denial of service (DoS) attack.

Mitigation

Update to version 2.6.38.

Vulnerable software versions

Linux kernel: 2.6.0 - 2.6.37.6

CPE2.3

External links

https://downloads.avaya.com/css/P8/documents/100145416
https://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=720dc34bbbe9493c7bd48b2243058b4e447a929d
https://openwall.com/lists/oss-security/2011/03/08/19
https://openwall.com/lists/oss-security/2011/03/08/4
https://rhn.redhat.com/errata/RHSA-2011-0833.html
https://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.38
https://www.securityfocus.com/bid/46793
https://bugzilla.redhat.com/show_bug.cgi?id=682954

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Out-of-bounds write

EUVDB-ID: #VU45060

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2011-1013

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Integer signedness error in the drm_modeset_ctl function in (1) drivers/gpu/drm/drm_irq.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 2.6.38 and (2) sys/dev/pci/drm/drm_irq.c in the kernel in OpenBSD before 4.9 allows local users to trigger out-of-bounds write operations, and consequently cause a denial of service (system crash) or possibly have unspecified other impact, via a crafted num_crtcs (aka vb_num) structure member in an ioctl argument.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Linux kernel: 2.6.0 - 2.6.37.6

CPE2.3

External links

https://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=1922756124ddd53846877416d92ba4a802bc658f
https://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.38
https://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/pci/drm/drm_irq.c
https://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/pci/drm/drm_irq.c.diff?r1=1.41;r2=1.42;f=h
https://www.securityfocus.com/bid/47639
https://bugzilla.redhat.com/show_bug.cgi?id=679925
https://exchange.xforce.ibmcloud.com/vulnerabilities/67199

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Input validation error

EUVDB-ID: #VU45141

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2011-1163

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The osf_partition function in fs/partitions/osf.c in the Linux kernel before 2.6.38 does not properly handle an invalid number of partitions, which might allow local users to obtain potentially sensitive information from kernel heap memory via vectors related to partition-table parsing.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Linux kernel: 2.6.0 - 2.6.37.6

CPE2.3

External links

https://downloads.avaya.com/css/P8/documents/100145416
https://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=1eafbfeb7bdf59cfe173304c76188f3fd5f1fd05
https://lists.opensuse.org/opensuse-security-announce/2015-04/msg00020.html
https://openwall.com/lists/oss-security/2011/03/15/14
https://openwall.com/lists/oss-security/2011/03/15/9
https://rhn.redhat.com/errata/RHSA-2011-0833.html
https://securityreason.com/securityalert/8189
https://securitytracker.com/id?1025225
https://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.38
https://www.pre-cert.de/advisories/PRE-SA-2011-02.txt
https://www.securityfocus.com/archive/1/517050
https://www.securityfocus.com/bid/46878
https://www.spinics.net/lists/mm-commits/msg82737.html
https://bugzilla.redhat.com/show_bug.cgi?id=688021

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Resource exhaustion

EUVDB-ID: #VU45145

Risk: Medium

CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2011-1082

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: Yes

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

fs/eventpoll.c in the Linux kernel before 2.6.38 places epoll file descriptors within other epoll data structures without properly checking for (1) closed loops or (2) deep chains, which allows local users to cause a denial of service (deadlock or stack memory consumption) via a crafted application that makes epoll_create and epoll_ctl system calls.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Linux kernel: 2.6.0 - 2.6.37.6

CPE2.3

External links

https://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e
https://openwall.com/lists/oss-security/2011/03/02/1
https://openwall.com/lists/oss-security/2011/03/02/2
https://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.38
https://bugzilla.redhat.com/show_bug.cgi?id=681575
https://lkml.org/lkml/2011/2/5/220

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

7) Information disclosure

EUVDB-ID: #VU45286

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2011-0711

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The xfs_fs_geometry function in fs/xfs/xfs_fsops.c in the Linux kernel before 2.6.38-rc6-git3 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an FSGEOMETRY_V1 ioctl call.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Linux kernel: 2.6.0 - 2.6.37.6

CPE2.3

External links

https://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=3a3675b7f23f83ca8c67c9c2b6edf707fd28d1ba
https://openwall.com/lists/oss-security/2011/02/16/10
https://openwall.com/lists/oss-security/2011/02/16/4
https://osvdb.org/70950
https://rhn.redhat.com/errata/RHSA-2011-0927.html
https://www.kernel.org/pub/linux/kernel/v2.6/snapshots/patch-2.6.38-rc6-git3.log
https://www.securityfocus.com/bid/46417
https://bugzilla.redhat.com/show_bug.cgi?id=677260
https://patchwork.kernel.org/patch/555461/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Risk	High
Patch available	YES
Number of vulnerabilities	7
CVE-ID	CVE-2011-1478 CVE-2011-1076 CVE-2011-1093 CVE-2011-1013 CVE-2011-1163 CVE-2011-1082 CVE-2011-0711
CWE-ID	CWE-476 CWE-787 CWE-20 CWE-400 CWE-200
Exploitation vector	Network
Public exploit	Public exploit code for vulnerability #6 is available.
Vulnerable software	Linux kernel Operating systems & Components / Operating system
Vendor	Linux Foundation