Test ID:	1.3.6.1.4.1.25623.1.0.64771
Category:	Slackware Local Security Checks
Title:	Slackware: Security Advisory (SSA:2009-230-01)
Summary:	The remote host is missing an update for the 'kernel' package(s) announced via the SSA:2009-230-01 advisory.
Description:	Summary: The remote host is missing an update for the 'kernel' package(s) announced via the SSA:2009-230-01 advisory. Vulnerability Insight: New Linux kernel packages are available for Slackware 12.2 and -current to address a security issue. A kernel bug discovered by Tavis Ormandy and Julien Tinnes of the Google Security Team could allow a local user to fill memory page zero with arbitrary code and then use the kernel sendpage operation to trigger a NULL pointer dereference, executing the code in the context of the kernel. If successfully exploited, this bug can be used to gain root access. At this time we have prepared fixed kernels for the stable version of Slackware (12.2), as well as for both 32-bit x86 and x86_64 -current versions. Additionally, we have added a package to the /patches directory for Slackware 12.1 and 12.2 that will set the minimum memory page that can be mmap()ed from userspace without additional privileges to 4096. The package will work with any kernel supporting the vm.mmap_min_addr tunable, and should significantly reduce the potential harm from this bug, as well as future similar bugs that might be found in the kernel. More updated kernels may follow. For more information, see: [link moved to references] Here are the details from the Slackware 12.2 ChangeLog: +--------------------------+ patches/packages/linux-2.6.27.31/: Added new kernels and kernel packages for Linux 2.6.27.31 to address a bug in proto_ops structures which could allow a user to use the kernel sendpage operation to execute arbitrary code in page zero. This could allow local users to gain escalated privileges. This flaw was discovered by Tavis Ormandy and Julien Tinnes of the Google Security Team. For more information, see: [link moved to references] In addition, these kernels change CONFIG_DEFAULT_MMAP_MIN_ADDR kernel config option value to 4096, which should prevent the execution of arbitrary code by future NULL dereference bugs that might be found in the kernel. If you are compiling your own kernel, please check this option in your .config. If it is set to =0, you may wish to edit it to 4096 (or some other value > 0) and then reconfigure, or the kernel will not have default protection against zero page attacks from userspace. (* Security fix *) patches/packages/kernel-mmap_min_addr-4096-noarch-1.tgz: This package adds an init script to edit /etc/sysctl.conf, adding this config option: vm.mmap_min_addr = 4096 This will configure the kernel to disallow mmap() to userspace of any page lower than 4096, preventing privilege escalation by CVE-2009-2692. This is a hot fix package and will take effect immediately upon installation on any system running a kernel that supports configurable /proc/sys/vm/mmap_min_addr (kernel 2.6.23 or newer). (* Security fix *) +--------------------------+ Affected Software/OS: 'kernel' package(s) on Slackware 12.1, Slackware 12.2, Slackware current. Solution: Please install the updated package(s). CVSS Score: 7.2 CVSS Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2009-2692 BugTraq ID: 36038 http://www.securityfocus.com/bid/36038 Bugtraq: 20090813 Linux NULL pointer dereference due to incorrect proto_ops initializations (Google Search) http://www.securityfocus.com/archive/1/505751/100/0/threaded Bugtraq: 20090818 rPSA-2009-0121-1 kernel open-vm-tools (Google Search) http://www.securityfocus.com/archive/1/505912/100/0/threaded Bugtraq: 20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components (Google Search) http://www.securityfocus.com/archive/1/507985/100/0/threaded Bugtraq: 20100625 VMSA-2010-0010 ESX 3.5 third party update for Service Console kernel (Google Search) http://www.securityfocus.com/archive/1/512019/100/0/threaded Debian Security Information: DSA-1865 (Google Search) http://www.debian.org/security/2009/dsa-1865 http://www.exploit-db.com/exploits/19933 http://www.exploit-db.com/exploits/9477 http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0174.html http://www.mandriva.com/security/advisories?name=MDVSA-2009:233 http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html http://grsecurity.net/~spender/wunderbar_emporium.tgz http://zenthought.org/content/file/android-root-2009-08-16-source http://www.openwall.com/lists/oss-security/2009/08/14/1 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11526 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11591 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8657 RedHat Security Advisories: RHSA-2009:1222 http://rhn.redhat.com/errata/RHSA-2009-1222.html RedHat Security Advisories: RHSA-2009:1223 http://rhn.redhat.com/errata/RHSA-2009-1223.html http://www.redhat.com/support/errata/RHSA-2009-1233.html http://secunia.com/advisories/36278 http://secunia.com/advisories/36289 http://secunia.com/advisories/36327 http://secunia.com/advisories/36430 http://secunia.com/advisories/37298 http://secunia.com/advisories/37471 SuSE Security Announcement: SUSE-SR:2009:015 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2009-09/msg00001.html http://www.vupen.com/english/advisories/2009/2272 http://www.vupen.com/english/advisories/2009/3316
Copyright	Copyright (C) 2012 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.