LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Kernel Vulns (http://www.linuxquestions.org/questions/linux-security-4/kernel-vulns-399624/)

unSpawn 01-04-2006 07:19 PM

Kernel Vulns
 
I would like to ask anyone who sees kernel vulnerabilities posted to add them to this thread. This way we can make sure they're published centrally. Please add a good, short title or CVE ID and the date it was published. If you post a summary keep it concise and please link to the original publication.

Please note this thread serves as a listing and not for *discussing* those vulnerabilities: please create a separate thread. Thanks.

CVE entries for linux+kernel.




FYI from win32sux to all: I am now unable to post vulnerabilities regarding the 2.4 branch, as well as prior 2.6 branches. In other words, I am only posting vulnerabilities which affect the latest stable 2.6 branch. Also, please keep in mind that I only announce new kernel releases when they include patches to known security vulnerabilities.

unSpawn 01-04-2006 07:28 PM

2006-01-04 CVE-2005-3358 (mempolicy, sysctl, fib_lookup, TwinHan DST driver)
 
Advisory ID : FrSIRT/ADV-2006-0035
CVE ID : CVE-2005-3358
Rated as : Moderate Risk
Remotely Exploitable : No
Locally Exploitable : Yes
Release Date : 2006-01-04


Technical Description
Multiple vulnerabilities were identified in Linux Kernel, which could be exploited by malicious users to cause a denial of service and potentially obtain elevated privileges.
- The first issue is due to an error in "mm/mempolicy.c" when handling policy system calls, which could be exploited by local attackers to cause a denial of service via a "set_mempolicy" call with a 0 bitmask.
- The second flaw is due to a one-byte buffer overrun error in "kernel/sysctl.c" when processing an overly long user-supplied string, which could be exploited by local attackers to potentially execute arbitrary commands.
- The third vulnerability is due to an error in "net/ipv4/fib_frontend.c" when processing malformed "fib_lookup" netlink messages, which could cause illegal memory references.
- The fourth issue is due to a buffer overflow error in the CA-driver for TwinHan DST Frontend/Card [drivers/media/dvb/bt8xx/dst_ca.c], which could be exploited by malicious users to cause a denial of service or potentially execute arbitrary commands.

Affected Products
Linux Kernel version 2.6.x

Solution
Upgrade to Linux Kernel version 2.6.15


See full advisory: FrSIRT/ADV-2006-0035.

nx5000 01-17-2006 02:36 AM

2006-01-16 CVE-2006-0035/0036/0037 (netlink_rcv_skb, PPTP NAT helper)
 
Advisory ID : FrSIRT/ADV-2006-0220
CVE ID : CVE-2006-0035 - CVE-2006-0036 - CVE-2006-0037
Rated as : Moderate Risk
CVSS Severity: 3.5 (Low), 3.3 (Low), 2.3 (Low)
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-01-16

Technical Description


Multiple vulnerabilities were identified in Linux Kernel, which could be exploited by remote or local attackers to cause a denial of service.

The first issue is due to an infinite loop in the "netlink_rcv_skb" [af_netlink.c] function when handling a specially crafted "nlmsg_len" value, which could be exploited by local attackers to cause a denial of service.

The second flaw is due to an error in the PPTP NAT helper that does not properly calculate the offset when handling an inbound "PPTP_IN_CALL_REQUEST" packet, which could be exploited by attackers to crash a vulnerable system.

The third vulnerability is due to an error in the PPTP NAT helper that does not properly calculate the offset based on the difference between two pointers to the header, which could be exploited by attackers to cause a kernel crash.

Affected Products

Linux Kernel version 2.6.15 and prior

Solution

Upgrade to Linux Kernel 2.6.15.1 :
http://www.kernel.org/

Credits

Vulnerabilities reported by Martin Murray and the vendor

See full advisory

nx5000 01-18-2006 01:48 AM

2006-01-17 CVE-2006-0095 ( dm-crypt)
 
Advisory ID : FrSIRT/ADV-2006-0235
CVE ID : CVE-2006-0095
Rated as : Low Risk
CVSS Severity: 1.6 (Low)
Remotely Exploitable : No
Locally Exploitable : Yes
Release Date : 2006-01-17


Technical Description

A vulnerability has been identified in Linux Kernel, which could be exploited by local attackers to gain knowledge of sensitive information. This flaw is due to an error in the "dm-crypt" [drivers/md/dm-crypt.c] driver that fails to properly clear memory before freeing it, which could be exploited by malicious users to disclose sensitive about cryptographic keys.

Affected Products

Linux Kernel version 2.6.15.1 and prior

Solution

Upgrade to Linux Kernel version 2.6.15.2 :
http://www.kernel.org


Credits

Vulnerability reported by Stefan Rompf

See full advisory

nx5000 02-06-2006 01:24 AM

2006-02-02 CVE-2006-0482 (compat_sys_clock_settime for SPARC)
 
Advisory ID : FrSIRT/ADV-2006-0418
CVE ID : CVE-2006-0482
Rated as : Low Risk
CVSS Severity: 1.6 (Low)
Remotely Exploitable : No
Locally Exploitable : Yes
Release Date : 2006-02-02

Technical Description

A vulnerability has been identified in Linux Kernel, which could be exploited by malicious users to cause a denial of service. This flaw is due to an error in the "compat_sys_clock_settime()" [arch/sparc64/kernel/sys32.S] function that provides invalid sign extended arguments to the "get_compat_timespec()" function call when processing a "date -s" command on SPARC architectures, which could be exploited by local attackers to panic the system, creating a denial of service condition.

Affected Products

Linux Kernel version 2.6.15.1 and prior

Solution

The FrSIRT is not aware of any official supplied patch for this issue.

Credits

Vulnerability reported by Ludovic Courtès

See full advisory: FrSIRT/ADV-2006-0418

nx5000 02-08-2006 07:25 AM

2006-02-08 CVE-2006-0454 (icmp response remote DoS)
 
Advisory ID : FrSIRT/ADV-2006-0464
CVE ID : CVE-2006-0454
Rated as : Moderate Risk
CVSS Severity: 2.3 (Low)
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-02-08

Technical Description

A vulnerability has been identified in Linux Kernel, which could be exploited by remote attackers to cause a denial of service. This flaw is due to an error in the "ip_options_echo()" [net/ipv4/icmp.c] function when constructing an ICMP response, which could be exploited by remote attackers to cause a denial of service by sending specially crafted ICMP packets containing record-route or timestamp IP options to a vulnerable system.

Affected Products

Linux Kernel versions 2.6.12 through 2.6.15.2

Solution

Upgrade to Linux Kernel 2.6.15.3 :
http://www.kernel.org/


Credits

Vulnerability reported by the vendor

See full advisory

unSpawn 02-21-2006 05:27 PM

2006-02-21CAN-2005-1767 (Stack Fault Exceptions Unspecified DoS)
 
HTTP link: http://www.securityfocus.com/bid/14467
Bugtraq ID: 14467
CVE ID : CAN-2005-1767
Remotely: No
Local: Yes
Release Date : 2006-02-21


Description
Linux kernel is reported prone to an unspecified local denial of service vulnerability. It was reported that this issue arises when a local user triggers stack fault exceptions. A local attacker may exploit this issue to carry out a denial of service attack against a vulnerable computer by crashing the kernel.


Affected Products
Linux Kernel versions 2.4 to 2.6


Solution
Upgrade to latest Linux Kernel: http://www.kernel.org/

win32sux 03-02-2006 10:40 AM

Linux Kernel Local Denial of Service Vulnerabilities (Not Critical)
 
Quote:

CVE reference: CVE-2006-0554, CVE-2006-0555, CVE-2006-0741

Description:
Some vulnerabilities have been reported in the Linux kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

1) An error in the "nfs_get_user_pages()" function due to insufficient checks on the return value returned by the "get_user_pages()" function can be exploited to cause a local DoS by performing an O_DIRECT write to an NFS file where the user buffer starts with a valid mapped page, but also contains an unmapped page.

2) Missing checks for bad elf entry addresses can be exploited to cause an endless recursive fault on Intel systems, which results in a local DoS.

An error in the XFS "ftruncate()" function, which may expose stale data off disk to users, has also been reported.

Solution:
Update to version 2.6.15.5.
http://www.kernel.org/
Secunia Advisory: http://secunia.com/advisories/19083/

win32sux 03-08-2006 01:48 AM

Linux Kernel "die_if_kernel()" Potential Denial of Service (Not Critical)
 
Quote:

CVE reference: CVE-2006-0742

Description:
A vulnerability has been reported in the Linux kernel, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to the "die_if_kernel()" function in "arch/ia64/kernel/unaligned.c" being erroneously marked with a "noreturn" attribute. This can potentially be exploited to cause a DoS on Itanium systems, when the kernel is compiled with certain version of the gcc compiler.

Solution:
Update to version 2.6.15.6.
http://www.kernel.org/
Secunia Advisory: http://secunia.com/advisories/19078/

unSpawn 03-22-2006 07:07 AM

Linux kernel Netfilter/do_replace and NDIS response (Moderately critical)
 
HTTP link: http://secunia.com/advisories/19330/
CVE ID : unknown
Remotely: no
Release Date : 2006-03-22

Description
Two vulnerabilities have been reported in the Linux Kernel, which has an unknown impact.

1) An integer overflow error exists within the "do_replace()" function in Netfilter. This can be exploited to cause a buffer overflow and allows the overwrite of arbitrary amounts of kernel memory when data is copied from user space.

2) Insufficient memory allocation in "drivers/usb/gadget/rndis.c" when handling NDIS response to OID_GEN_SUPPORTED_LIST may cause kernel memory corruption.

Solution:
Update to version 2.6.16.
http://www.kernel.org/

win32sux 03-22-2006 07:25 AM

Quote:

Originally Posted by unSpawn
An integer overflow error exists within the "do_replace()" function in Netfilter. This can be exploited to cause a buffer overflow and allows the overwrite of arbitrary amounts of kernel memory when data is copied from user space.

Quote:

From: Harald Welte <laforge@netfilter.org>
To: vuldb@securityfocus.com
Date: Wed, 22 Mar 2006 11:57:17 +0100
Subject: Wrong information on http://www.securityfocus.com/bid/17178/discuss
Hi!

As a member of the netfilter core team, I would like to ask you to
immediately stop spreading false information about an allegeldy remotely
exploitable vulnerability that simply doesn't exist.

I don't know how you come to the conclusion at
http://www.securityfocus.com/bid/17178/discuss, that "This issue allows
remote attackers to overwrite kernel memory with arbitrary data,
potentially allowing them to execute malicious machine code in the
context of affected kernels."

The respective bug [called do_replace() bug] is in a code path that can
ONLY be executed by a local root user
. In fact, it is a bug in the
codepath for ruleset changes.

So unless you have a locally malicious root user (which could change the
ruleset anyway, and very likely load arbitrary code via kernel modules
or patch /proc/kmem), there is nothing that can be exploited.

Neither for local non-root users, not for any remote party.

Please correct information in your vulnerability data base as soon as
possible! Your wrong assessment has already been picked up by some
other news sites, and users are starting to inquire the project about a
security threat that doesn't even exist.

Thanks in advance,
Harald
NOTE: This post is only meant as a follow-up, to further inform admins about this specific bug (so that no unnecessary freaking-out occurs). It should not be interpreted as a "discussion starter" in any way. To discuss this bug (or any others), please use a separate thread, as was indicated in the OP by unSpawn. Thanks.

win32sux 03-23-2006 11:43 AM

Linux Kernel IPv4 "sockaddr_in.sin_zero" Information Disclosure (Not Critical)
 
Quote:

CVE reference: CVE-2006-1342, CVE-2006-1343

Description:
Pavel Kankovsky has reported a weakness in the Linux kernel, which can be exploited by malicious, local users to disclose potentially sensitive information.

The weakness is caused due to the "sockaddr_in.sin_zero" array not being zeroed before being returned to user space programs calling certain socket functions to retrieve information about the specified socket. This can be exploited to disclose six uninitialised bytes of the kernel stack via calls to the "getsockopt()" function with the "SO_ORIGINAL_DST" option, or via calls to the "getsockname()", "getpeername()", and "accept()" functions.

The weakness has been reported in the 2.4 and 2.6 kernel branches.

NOTE: The weakness in the "getsockname()", "getpeername()", and "accept()" functions affect only the 2.4 kernel.

Solution:
The weakness have been fixed in the 2.4 kernel branch in the CVS repositories.

Secunia is currently not aware of any official patches for the 2.6 kernel.
Secunia Advisory: http://secunia.com/advisories/19357/

win32sux 03-28-2006 11:26 AM

Linux Kernel IP ID Value Increment Weakness (Not Critical)
 
Quote:

CVE reference: CVE-2006-1242

Description:
Marco Ivaldi has reported a weakness in the Linux kernel, which can be exploited by malicious people to disclose certain system information and potentially to bypass certain security restrictions.

The weakness is caused due to an error within the "ip_push_pending_frames()" function when creating a packet in reply to a received SYN/ACK packet. This causes RST packets to be sent with a IP ID value that is incremented per packet. This can potentially be exploited to conduct idle scan attacks.

The weakness has been reported in the 2.4 and 2.6 kernel branches.

Solution:
Update to version 2.6.16.1.
http://www.kernel.org/

Secunia is currently not aware of any official patches for the 2.4 kernel.
Secunia Advisory: http://secunia.com/advisories/19402/

win32sux 04-07-2006 07:19 AM

Linux Kernel Sysfs Local Denial of Service Vulnerability (Not Critical)
 
Quote:

CVE reference: CVE-2006-1055

Description:
A vulnerability has been reported in Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to an out-of-bounds memory error in the "fill_write_buffer()" function in sysfs/file.c when writing exactly PAGE_SIZE amount of data with no zeroes in it to a sysfs file.

Solution:
The vulnerability has been fixed in version 2.6.17-rc1.
Secunia Advisory: http://secunia.com/advisories/19495/



UPDATE: Stable kernel 2.6.16.2 has just been released. It includes the patch for CVE-2006-1055, among other things. As usual, you can get your copy at: http://www.kernel.org/

win32sux 04-11-2006 11:54 AM

Linux Kernel "__keyring_search_one()" Denial of Service (Not Critical)
 
Quote:

CVE reference: CVE-2006-1522

Description:
A vulnerability has been reported in Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to an error in the "__keyring_search_one()" function when adding a key to a non-keyring key.

Solution:
Update to version 2.6.16.3 or later.
Secunia Advisory: http://secunia.com/advisories/19573/



UPDATE #1: 2.6.16.4 has been released.

Less than 12 hours after 2.6.16.3 was released, the -stable team patched the code with a one-liner, releasing 2.6.16.4. A Secunia advisory isn't out yet, but the commit in git states the patch addresses an issue with RCU signal handling, which is CVE-2006-1523.



UPDATE #2: 2.6.16.5 has been released.

One day after 2.6.16.4 was released, the -stable team patched the code once again, releasing 2.6.16.5. A Secunia advisory isn't out yet, but git shows that one patch addresses an issue with uncanonical return addresses on x86_64, which is CVE-2006-0744 .


All times are GMT -5. The time now is 06:37 PM.