Ubuntu 4.10 / 5.04 : linux-source-2.6.8.1, linux-source-2.6.10 vulnerabilities (USN-131-1)

high Nessus Plugin ID 20522

Synopsis

The remote Ubuntu host is missing one or more security-related patches.

Description

Colin Percival discovered an information disclosure in the 'Hyper Threading Technology' architecture in processors which are capable of simultaneous multithreading (in particular Intel Pentium 4, Intel Mobile Pentium 4, and Intel Xeon processors). This allows a malicious thread to monitor the execution of another thread on the same CPU.
This could be exploited to steal cryptographic keys, passwords, or other arbitrary data from unrelated processes. Since it is not possible to provide a safe patch in a short time, HyperThreading has been disabled in the updated kernel packages for now. You can manually enable HyperThreading again by passing the kernel parameter 'ht=on' at boot. (CAN-2005-0109)

A Denial of Service vulnerability was discovered in the fib_seq_start() function(). This allowed a local user to crash the system by reading /proc/net/route in a certain way. (CAN-2005-1041)

Paul Starzetz found an integer overflow in the ELF binary format loader's core dump function. By creating and executing a specially crafted ELF executable, a local attacker could exploit this to execute arbitrary code with root and kernel privileges. However, it is believed that this flaw is not actually exploitable on 2.6.x kernels (as shipped by Ubuntu). (CAN-2005-1263)

Alexander Nyberg discovered a flaw in the keyring kernel module. This allowed a local attacker to cause a kernel crash on SMP machines by calling key_user_lookup() in a particular way. This vulnerability does not affect the kernel of Ubuntu 4.10. (CAN-2005-1368)

The it87 and via686a hardware monitoring drivers created a sysfs file named 'alarms' with write permissions, but they are not designed to be writeable. This allowed a local user to crash the kernel by attempting to write to these files. (CAN-2005-1369)

It was discovered that the drivers for raw devices (CAN-2005-1264) and pktcdvd devices (CAN-2005-1589) used the wrong function to pass arguments to the underlying block device. This made the kernel address space accessible to userspace applications. This allowed any local user with at least read access to a device in /dev/pktcdvd/* (usually members of the 'cdrom' group) or /dev/raw/* (usually only root) to execute arbitrary code with kernel privileges. Ubuntu 4.10's kernel is not affected by the pktcdvd flaw since it does not yet support packet CD writing.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected packages.

Plugin Details

Severity: High

ID: 20522

File Name: ubuntu_USN-131-1.nasl

Version: 1.16

Type: local

Agent: unix

Published: 1/15/2006

Updated: 1/19/2021

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.9

CVSS v2

Risk Factor: High

Base Score: 7.2

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:canonical:ubuntu_linux:linux-doc-2.6.10, p-cpe:/a:canonical:ubuntu_linux:linux-doc-2.6.8.1, p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6, p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-386, p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-686, p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-686-smp, p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-amd64-generic, p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-amd64-k8, p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-amd64-k8-smp, p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-amd64-xeon, p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6.8.1-5, p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6.8.1-5-386, p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6.8.1-5-686, p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6.8.1-5-686-smp, p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6.8.1-5-amd64-generic, p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6.8.1-5-amd64-k8, p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6.8.1-5-amd64-k8-smp, p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6.8.1-5-amd64-xeon, p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-386, p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-686, p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-686-smp, p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-amd64-generic, p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-amd64-k8, p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-amd64-k8-smp, p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-amd64-xeon, p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6.8.1-5-386, p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6.8.1-5-686, p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6.8.1-5-686-smp, p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6.8.1-5-amd64-generic, p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6.8.1-5-amd64-k8, p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6.8.1-5-amd64-k8-smp, p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6.8.1-5-amd64-xeon, p-cpe:/a:canonical:ubuntu_linux:linux-patch-debian-2.6.8.1, p-cpe:/a:canonical:ubuntu_linux:linux-patch-ubuntu-2.6.10, p-cpe:/a:canonical:ubuntu_linux:linux-source-2.6.10, p-cpe:/a:canonical:ubuntu_linux:linux-source-2.6.8.1, p-cpe:/a:canonical:ubuntu_linux:linux-tree-2.6.10, p-cpe:/a:canonical:ubuntu_linux:linux-tree-2.6.8.1, cpe:/o:canonical:ubuntu_linux:4.10, cpe:/o:canonical:ubuntu_linux:5.04

Required KB Items: Host/cpu, Host/Debian/dpkg-l, Host/Ubuntu, Host/Ubuntu/release

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/23/2005

Reference Information

CVE: CVE-2005-0109, CVE-2005-1041, CVE-2005-1263, CVE-2005-1264, CVE-2005-1368, CVE-2005-1369, CVE-2005-1589

USN: 131-1