CVE-2010-2942

21.09.2010, 18:00

The actions implementation in the network queueing functionality in the Linux kernel before 2.6.36-rc2 does not properly initialize certain structure members when performing dump operations, which allows local users to obtain potentially sensitive information from kernel memory via vectors related to (1) the tcf_gact_dump function in net/sched/act_gact.c, (2) the tcf_mirred_dump function in net/sched/act_mirred.c, (3) the tcf_nat_dump function in net/sched/act_nat.c, (4) the tcf_simp_dump function in net/sched/act_simple.c, and (5) the tcf_skbedit_dump function in net/sched/act_skbedit.c.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
redhat	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 4%

Vendor	Product	Version
linux	linux_kernel	𝑥 ≤ 2.6.35.13
linux	linux_kernel	2.6.36
linux	linux_kernel	2.6.36:rc1
canonical	ubuntu_linux	6.06
canonical	ubuntu_linux	8.04
canonical	ubuntu_linux	9.04
canonical	ubuntu_linux	9.10
canonical	ubuntu_linux	10.04
canonical	ubuntu_linux	10.10
opensuse	opensuse	11.1
opensuse	opensuse	11.3
avaya	aura_communication_manager	5.2
avaya	aura_presence_services	6.0
avaya	aura_presence_services	6.1
avaya	aura_presence_services	6.1.1
avaya	aura_session_manager	1.1
avaya	aura_session_manager	5.2
avaya	aura_session_manager	6.0
avaya	aura_system_manager	5.2
avaya	aura_system_manager	6.0
avaya	aura_system_manager	6.1
avaya	aura_system_manager	6.1.1
avaya	aura_system_platform	1.1
avaya	aura_system_platform	6.0
avaya	aura_system_platform	6.0:sp1
avaya	iq	5.0
avaya	iq	5.1
avaya	voice_portal	5.0
avaya	voice_portal	5.1
avaya	voice_portal	5.1:sp1
vmware	esx	4.0
vmware	esx	4.1

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

linux

maverick	not-affected
lucid	Fixed 2.6.32-25.45 released
karmic	Fixed 2.6.31-22.67 released
jaunty	Fixed 2.6.28-19.66 released
hardy	Fixed 2.6.24-28.80 released
dapper	dne

linux-ec2

maverick	ignored
lucid	Fixed 2.6.32-309.18 released
karmic	Fixed 2.6.31-307.21 released
hardy	dne
dapper	dne

linux-fsl-imx51

maverick	dne
lucid	Fixed 2.6.31-608.22 released
karmic	Fixed 2.6.31-112.30 released
hardy	dne
dapper	dne

linux-lts-backport-maverick

maverick	dne
lucid	Fixed 2.6.35-25.44~lucid1 released
karmic	dne
hardy	dne
dapper	dne

linux-mvl-dove

maverick	Fixed 2.6.32-416.33 released
lucid	Fixed 2.6.32-216.33 released
karmic	ignored
hardy	dne
dapper	dne

linux-source-2.6.15

maverick	dne
lucid	dne
karmic	dne
jaunty	dne
hardy	dne
dapper	Fixed 2.6.15-55.89 released

Common Weakness Enumeration

CWE-401 - Missing Release of Memory after Effective Lifetime
The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

References

http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git%3Ba=commit%3Bh=1c40be12f7d8ca1d387510d39787b12e512a7ce8

http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00004.html

http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00005.html

http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00000.html

http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00004.html

http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00000.html

http://patchwork.ozlabs.org/patch/61857/

http://secunia.com/advisories/41512

http://secunia.com/advisories/46397

http://support.avaya.com/css/P8/documents/100113326

http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.36-rc2

http://www.openwall.com/lists/oss-security/2010/08/18/1

http://www.openwall.com/lists/oss-security/2010/08/19/4

http://www.redhat.com/support/errata/RHSA-2010-0723.html

http://www.redhat.com/support/errata/RHSA-2010-0771.html

http://www.redhat.com/support/errata/RHSA-2010-0779.html

http://www.securityfocus.com/archive/1/520102/100/0/threaded

http://www.securityfocus.com/bid/42529

http://www.ubuntu.com/usn/USN-1000-1

http://www.vmware.com/security/advisories/VMSA-2011-0012.html

http://www.vupen.com/english/advisories/2010/2430

http://www.vupen.com/english/advisories/2011/0298

https://bugzilla.redhat.com/show_bug.cgi?id=624903

http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git%3Ba=commit%3Bh=1c40be12f7d8ca1d387510d39787b12e512a7ce8

http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00004.html

http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00005.html

http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00000.html

http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00004.html

http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00000.html

http://patchwork.ozlabs.org/patch/61857/

http://secunia.com/advisories/41512

http://secunia.com/advisories/46397

http://support.avaya.com/css/P8/documents/100113326

http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.36-rc2

http://www.openwall.com/lists/oss-security/2010/08/18/1

http://www.openwall.com/lists/oss-security/2010/08/19/4

http://www.redhat.com/support/errata/RHSA-2010-0723.html

http://www.redhat.com/support/errata/RHSA-2010-0771.html

http://www.redhat.com/support/errata/RHSA-2010-0779.html

http://www.securityfocus.com/archive/1/520102/100/0/threaded

http://www.securityfocus.com/bid/42529

http://www.ubuntu.com/usn/USN-1000-1

http://www.vmware.com/security/advisories/VMSA-2011-0012.html

http://www.vupen.com/english/advisories/2010/2430

http://www.vupen.com/english/advisories/2011/0298

https://bugzilla.redhat.com/show_bug.cgi?id=624903