Exploitalert - Database of Exploits

Multiple vulnerabilities - kernel, openssh

CVE	Category	Price	Severity
CVE-2006-0035	CWE-119	Not specified	High

Author	Risk	Exploitation Type	Date
Not specified	High	Local	2006-02-11

CVSS	EPSS	EPSSP
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N	0.02192	0.50148

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Local	AV	The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Attack Requirements	Present	AT	The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack. These include: A race condition must be won to successfully exploit the vulnerability. The successfulness of the attack is conditioned on execution conditions that are not under full control of the attacker. The attack may need to be launched multiple times against a single target before being successful. Network injection. The attacker must inject themselves into the logical network path between the target and the resource requested by the victim (e.g. vulnerabilities requiring an on-path attacker).
Privileges Required	Low	PR	The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction	None	UI	The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Confidentiality Impact to the Vulnerable System	High	VC	There is a total loss of confidentiality, resulting in all information within the Vulnerable System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server.
Availability Impact to the Vulnerable System	High	VI	There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Vulnerable System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Vulnerable System.
Availability Impact to the Vulnerable System	High	VA	There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Vulnerable System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the Vulnerable System (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).
Subsequent System Confidentiality Impact	Negligible	SC	There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System.
Integrity Impact to the Subsequent System	None	SI	There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System.
Availability Impact to the Subsequent System	None	SA	There is no loss of availibility within the Subsequent System or all availibility impact is constrained to the Vulnerable System.

http://cxsecurity.com/ascii/WLB-2006010074

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ -- Trustix Secure Linux Security Advisory #2006-0004 Package names: kernel, openssh Summary: Multiple vulnerabilities Date: 2006-01-27 Affected versions: Trustix Secure Linux 2.2 Trustix Secure Linux 3.0 Trustix Operating System - Enterprise Server 2 - ------------------------------------------------------------------------ -- Package description: kernel The kernel package contains the Linux kernel (vmlinuz), the core of your Trustix Secure Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc. openssh Ssh (Secure Shell) a program for logging into a remote machine and for executing commands in a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. Problem description: kernel < TSL 3.0 > - SECURITY Fix: Missing validation of the "nlmsg_len" value in "netlink_rcv_skb()" can cause an infinite loop which can be exploited by local users to cause a DoS by setting the value to 0. - An error in the PPTP NAT helper in the handling of inbound PPTP_IN_CALL_REQUEST packets can cause an error in offset calculation. This can be exploited to cause random memory corruption and can crash the kernel. - ip_nat_pptp in the PPTP NAT helper (netfilter/ip_nat_helper_pptp.c) in Linux kernel 2.6.14, and other versions, allows local users to cause a denial of service via a crafted outbound packet that causes an incorrect offset to be calculated from pointer arithmetic when non-linear SKBs (socket buffers) are used. - Stefan Rompf has reported a vulnerability caused due to the "dm-crypt" driver failing to clear memory before freeing it. This can be exploited by local users to obtain sensitive information. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2006-0035, CVE-2006-0036, CVE-2006-0037 and CVE-2006-0095 to these issues. openssh < TSL 3.0 > < TSL 2.2 > < TSEL 2 > - SECURITY Fix: Josh Bressers has reported a weakness in OpenSSH caused due to the insecure use of the "system()" function in scp when performing copy operations using filenames that are supplied by the user from the command line. This can be exploited to execute shell commands with privileges of the user running scp. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2006-0225 to this issue. Action: We recommend that all systems with this package installed be upgraded. Please note that if you do not need the functionality provided by this package, you may want to remove it from your system. Location: All Trustix Secure Linux updates are available from <URI:http://http.trustix.org/pub/trustix/updates/> <URI:ftp://ftp.trustix.org/pub/trustix/updates/> About Trustix Secure Linux: Trustix Secure Linux is a small Linux distribution for servers. With focus on security and stability, the system is painlessly kept safe and up to date from day one using swup, the automated software updater. Automatic updates: Users of the SWUP tool can enjoy having updates automatically installed using 'swup --upgrade'. Questions? Check out our mailing lists: <URI:http://www.trustix.org/support/> Verification: This advisory along with all Trustix packages are signed with the TSL sign key. This key is available from: <URI:http://www.trustix.org/TSL-SIGN-KEY> The advisory itself is available from the errata pages at <URI:http://www.trustix.org/errata/trustix-2.2/> and <URI:http://www.trustix.org/errata/trustix-3.0/> or directly at <URI:http://www.trustix.org/errata/2006/0004/> MD5sums of the packages: - ------------------------------------------------------------------------ -- 027cea1f2f987f710fe2680337a4774f 3.0/rpms/kernel-2.6.15.1-1tr.i586.rpm 9f6cc359c94b874a8160b2744fb6d510 3.0/rpms/kernel-doc-2.6.15.1-1tr.i586.rpm f6c272fadee97f280adee5f9a00576b0 3.0/rpms/kernel-headers-2.6.15.1-1tr.i586.rpm 31150a8b714720f20e290dccec845826 3.0/rpms/kernel-smp-2.6.15.1-1tr.i586.rpm fce9c0bf230300cec808aea31ff7f718 3.0/rpms/kernel-smp-headers-2.6.15.1-1tr.i586.rpm cf6368abb17f22b64826d00bd8336cf5 3.0/rpms/kernel-source-2.6.15.1-1tr.i586.rpm 0608ad6bd8e97ddadd0b501206a11d20 3.0/rpms/kernel-utils-2.6.15.1-1tr.i586.rpm ab20e49ff562fa8accc40ecbf13e7799 3.0/rpms/openssh-4.2p1-2tr.i586.rpm ade6e066afe6e83bd99975bfa252f608 3.0/rpms/openssh-clients-4.2p1-2tr.i586.rpm 7290bb4c93f08314b72b589e6ed3b0b3 3.0/rpms/openssh-server-4.2p1-2tr.i586.rpm 934477d687fb6cb48b78fceb87e187e2 3.0/rpms/openssh-server-config-4.2p1-2tr.i586.rpm 3bfc8e25184b964391c8c71ad95b2778 2.2/rpms/openssh-4.2p1-2tr.i586.rpm 8a3a8e810c8121ac10846922e0bffe6a 2.2/rpms/openssh-clients-4.2p1-2tr.i586.rpm 33c754e2048bb85822145c2063f63463 2.2/rpms/openssh-server-4.2p1-2tr.i586.rpm 0abb95f1c3c13c491e0233ae6f3a9944 2.2/rpms/openssh-server-config-4.2p1-2tr.i586.rpm - ------------------------------------------------------------------------ -- Trustix Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFD3gWOi8CEzsK9IksRAqoNAJ0VcXv/vxjGrn/uCznt7fVZcwLhYwCfUGQY rnBSdrj/JGMGe6Y7iUrf3GQ= =UQBl -----END PGP SIGNATURE-----

Impressum