kernel security and bug fix update (RHSA-2011-1465)

Original Release Date: January 12, 2011
Last Revised: June 12, 2012
Number: ASA-2011-370
Risk Level: Medium
Advisory Version: 2.0
Advisory Status: Final

1. Overview:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues:

IPv6 fragment identification value generation could allow a remote attacker to disrupt a target system's networking, preventing legitimate users from accessing its services. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-2699 to this issue.

A signedness issue was found in the Linux kernel's CIFS (Common Internet File System) implementation. A malicious CIFS server could send a specially-crafted response to a directory read request that would result in a denial of service or privilege escalation on a system that has a CIFS share mounted. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-3191 to this issue.

A flaw was found in the way the Linux kernel handled fragmented IPv6 UDP datagrams over the bridge with UDP Fragmentation Offload (UFO) functionality on. A remote attacker could use this flaw to cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-4326 to this issue.

The way IPv4 and IPv6 protocol sequence numbers and fragment IDs were generated could allow a man-in-the-middle attacker to inject packets and possibly hijack connections. Protocol sequence numbers and fragment IDs are now more random. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-3188 to this issue.

A buffer overflow flaw was found in the Linux kernel's FUSE (Filesystem in Userspace) implementation. A local user in the fuse group who has access to mount a FUSE file system could use this flaw to cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-3353 to this issue.

A flaw was found in the b43 driver in the Linux kernel. If a system had an active wireless interface that uses the b43 driver, an attacker able to send a specially-crafted frame to that interface could cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-3359 to this issue.

A flaw was found in the way CIFS shares with DFS referrals at their root were handled. An attacker on the local network who is able to deploy a malicious CIFS server could create a CIFS network share that, when mounted, would cause the client system to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-3363 to this issue.

A flaw was found in the way the Linux kernel handled VLAN 0 frames with the priority tag set. When using certain network drivers, an attacker on the local network could use this flaw to cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-3593 to this issue.

A flaw in the way memory containing security-related data was handled in tpm_read() could allow a local, unprivileged user to read the results of a previously run TPM command. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-1162 to this issue.

A heap overflow flaw was found in the Linux kernel's EFI GUID Partition Table (GPT) implementation. A local attacker could use this flaw to cause a denial of service by mounting a disk that contains specially-crafted partition tables. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-1577 to this issue.

The I/O statistics from the taskstats subsystem could be read without any restrictions. A local, unprivileged user could use this flaw to gather confidential information, such as the length of a password used in a process. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-2494 to this issue.

It was found that the perf tool, a part of the Linux kernel's Performance Events implementation, could load its configuration file from the current working directory. If a local user with access to the perf tool were tricked into running perf in a directory that contains a specially-crafted configuration file, it could cause perf to overwrite arbitrary files and directories accessible to that user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-2905 to this issue.

More information about these vulnerabilities can be found in the security advisory issued by Red Hat:

2. Avaya System Products using a modified version of RHEL6 with affected packages installed:
Product: Affected Version(s): Risk Level: Actions:
Avaya Aura® Experience Portal 6.0 Medium Upgrade to Avaya Enterprise Linux for Experience Portal 6.0 SP1 and Experience Portal 6.0 SP1 or later.

Recommended Actions for System Products:
Avaya strongly recommends that customers follow networking and security best practices by implementing firewalls, ACLs, physical security or other appropriate access restrictions. Though Avaya believes such restrictions should always be in place, risk to Avaya products and the surrounding network from this potential vulnerability may be mitigated by ensuring these practices are implemented until such time as an Avaya provided product update or the recommended Avaya action is applied. Further restrictions as deemed necessary based on the customer's security policies may be required during this interim period, but customers should not modify the System Product operating system or application unless the change is approved by Avaya. Making changes that are not approved may void the Avaya product service contract.

Mitigating Factors:

When determining risk, Avaya takes into account many factors as outlined by Avaya's Security Vulnerability Classification Policy. The following table describes factors that mitigate the risk of specific vulnerabilities for affected Avaya products:

Vulnerability Mitigating Factors
CVE-2011-1162 This is a Low risk because TPM commands are not used by default.
CVE-2011-1577 This is a Low risk because specially-crafted partition tables are not used by default and vulnerability could only be exploited by a privileged user.
CVE-2011-2494 This is a Low risk because no product specific confidential information is available.
CVE-2011-2699 There is no risk because IPv6 is not supported.
CVE-2011-2905 This is a Low risk because the perf tool is not used by default.
CVE-2011-3188 This is a Low risk because of the complexity of the brute force attack, the need to gain man-in-the-middle access, and the fact that TLS can be used to secure connections.
CVE-2011-3191 This is a Low risk because CIFS shares are not used by default.
CVE-2011-3353 There is no risk because the fuse rpm is not installed by default.
CVE-2011-3359 There is no risk because supported servers don't have wireless networking capability.
CVE-2011-3363 This is a Low risk because CIFS shares are not used by default.
CVE-2011-3593 This is a Medium risk due to the potential of a Denial of Service (DoS).
CVE-2011-4326 There is no risk because IPv6 is not supported.

3. Avaya Software-Only Products:

Avaya software-only products operate on general-purpose operating systems. Occasionally vulnerabilities may be discovered in the underlying operating system or applications that come with the operating system. These vulnerabilities often do not impact the software-only product directly but may threaten the integrity of the underlying platform.

In the case of this advisory Avaya software-only products are not affected by the vulnerability directly but the underlying Linux platform may be. Customers should determine on which Linux operating system the product was installed and then follow that vendor's guidance.

Product: Actions:
Avaya Aura® Application Enablement Services 4.x/5.x Depending on the Operating System provided by customers, the affected package may be installed on the underlying Operating System supporting the AES application.
CVLAN Depending on the Operating System provided by customers, the affected package may be installed on the underlying Operating System supporting the CVLAN application.
Avaya Aura® Experience Portal Depending on the Operating System provided by customers, the affected package may be installed on the underlying Operating System supporting the EP application.
Avaya Integrated Management Suite (IMS) Depending on the Operating System provided by customers, the affected package may be installed on the underlying Operating System supporting the IMS application.
Avaya Aura® Presence Services Depending on the Operating System provided by customers, the affected package may be installed on the underlying Operating System supporting the PS application.
Avaya Aura® System Manager 1.0 Depending on the Operating System provided by customers, the affected package may be installed on the underlying Operating System supporting the SMGR application.
Avaya Voice Portal Depending on the Operating System provided by customers, the affected package may be installed on the underlying Operating System supporting the VP application.

Recommended Actions for Software-Only Products:
In the event that the affected package is installed, Avaya recommends that customers follow recommended actions supplied by Red Hat regarding their Enterprise Linux.

4. Additional Information:

Additional information may also be available via the Avaya support website and through your Avaya account representative. Please contact your Avaya product support representative, or dial 1-800-242-2121, with any questions.

5. Disclaimer:

ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS PROVIDED "AS IS". AVAYA INC., ON BEHALF ITSELF AND ITS SUBSIDIARIES AND AFFILIATES (HEREINAFTER COLLECTIVELY REFERRED TO AS "AVAYA"), DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE, AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS RECOMMENDED WILL ELIMINATE SECURITY OR VIRUS THREATS TO CUSTOMERS' SYSTEMS. IN NO EVENT SHALL AVAYA BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING OUT OF OR IN CONNECTION WITH THE INFORMATION OR RECOMMENDED ACTIONS PROVIDED HEREIN, INCLUDING DIRECT, INDIRECT, INCIDENTAL, STATUTORY, CONSEQUENTIAL DAMAGES, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

THE INFORMATION PROVIDED HERE DOES NOT AFFECT THE SUPPORT AGREEMENTS IN PLACE FOR AVAYA PRODUCTS. SUPPORT FOR AVAYA PRODUCTS CONTINUES TO BE EXECUTED AS PER EXISTING AGREEMENTS WITH AVAYA.

6. Revision History:

V 1.0 - January 12, 2011 - Initial Statement issued.
V 2.0 - June 12, 2012 - Changed product affected versions, actions and advisory status to final.

Send information regarding any discovered security problems with Avaya products to either the contact noted in the product's documentation or securityalerts@avaya.com.

Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.

© 2011 Avaya Inc. All Rights Reserved. All trademarks identifying Avaya products by the ® or ™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners.